AI Made Simple
AI Made Simple: The Transformation Series explores how AI is reshaping how organisations work, lead, and scale. Hosted by international AI trainer and speaker Valeriya Pilkevich, the show features conversations with senior leaders, innovators, and practitioners driving real-world AI transformation. Each episode reveals what it really takes to make AI work — from leadership and culture to data, governance, and everyday workflows.
AI Made Simple
Shamane Tan on Where Cybersecurity and AI Literacy meet
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
AI literacy and cybersecurity used to be two separate skills. Not anymore. The biggest AI risks inside most companies today don't come from hackers. They come from how employees use AI every day: what they paste, what they upload, which ungoverned tools they reach for to get work done faster.
In this episode of AI Made Simple: The Transformation Series, I'm joined by Shamane Tan, founder at AMBA, best-selling author of three executive cybersecurity books including Cyber Risk Leaders and Building a Cyber Resilient Business, and the newly appointed Singapore Governor for the Global Council for Responsible AI. We discuss:
- Why AI literacy and cybersecurity have become the same skill
- The two extremes most companies fall into when adopting AI, and why both fail
- Why AI magnifies every weakness your organization already has
- The one question every business leader should ask their team this week
Connect with Shamane Tan: LinkedIn: https://www.linkedin.com/in/shamane Connect with Valeriya: LinkedIn: https://www.linkedin.com/in/valeriya-pilkevich YouTube: https://www.youtube.com/@aimadesimpletalks Podcast: https://aimadesimple.buzzsprout.com
Need help building AI capability in your organization? Book a call.
Everyone's talking about AI adoption, but almost no one asks the harder question first. Who is accountable when it goes wrong? Welcome to AI Made Simple, the transformation series. I'm Valeria Pilkievich, and I talk with global leaders, innovators, and practitioners for shaping the future of work in the age of AI. I'm joined today by Shamin Tan, founder of AMBA, a strategic growth company helping leaders find their highest leverage move and turn it into commercial momentum. She's also a best-selling author, TEDx speaker, and founder of Cyber Risk Meetup, a global community of over 5,000 security professionals. We talk about the real risks hiding behind everyday AI use, shadow AI, data leakage, and the danger of trusting, confident-sounding output. We get into why some companies move too fast on AI and others shut it down too fast, and what the golden needle actually looks like. Shamin, it's great to have you on the podcast. Thank you for joining.
SPEAKER_01Yes, thank you so much for having me and looking forward to the conversation that we'll be having.
SPEAKER_00Shamin, you've built a fascinating career in cybersecurity in a field that actually has not had many women at the table uh in the history. Why cybersecurity, right? What was the path that got you where you are now?
SPEAKER_01Okay, so uh that definitely brings me back to maybe 20 years ago. So I'll keep it short, but I think when I was in school, cybersecurity was not a word that people use in everyday conversation the way we use it today. So what most of us knew about hackers back then came from the movies. So there was this uh really mysterious, extremely talented people who could break into systems with a few keystrokes. And I remember thinking that is so cool. But uh more than that, always had a love for gadgets. I think since young I was quite curious about how things work, and I did not necessarily always understand um how computers work at the start, but I think it's about that curiosity to keep things going. That curiosity eventually just led me into um studying computer engineering um at Nangyang Technological University. So that was in Singapore, graduated with honors, but um, I would say my path um into cybersecurity was not completely traditional. So I started in tech and people facing roles and later pivoted more deeply into cyber. So I would always tell people that it's not too late to pivot into cyber if that's something that you are interested in or you want to make your mark in this field. There are the traditional ways of getting into cybersecurity, but there's also the many non-linear ways. And I would attribute a lot of my journey to you know the people who came before me, who opened the doors, who gave me opportunities, and allowed me to learn and grow in that space. So I think over time, then you know you'll end up finding your own lane. And for me, it was about helping to bridge the technical world with the business world. And I realized cybersecurity is not just about systems or tools. It was a lot of focusing on the trust that you built, about leadership as well, decision making, and helping executives understand risk in a way that they can actually act on.
SPEAKER_00How did your role evolve with generative AI being so much democratized? Of course, artificial intelligence existed long ago, but since Chat GPT and beginning 2023, everybody started using the tools. So I'm wondering how your role and what you do, how did it evolve with this whole generative AI wave? Yeah, that's a very good question.
SPEAKER_01Because uh the more people use it, uh then there is it's it's a good thing in a way, because then uh everyone is on to something. They're all learning and growing together, they're discovering together as well. But with that, when a great tool is in the hands of even everyday users, then there's also um the responsibility comes with it of how are they able to really understand the power that they have in those tools, how can they use it safely, wisely, and um a lot of education has to go into it because we also want to make sure that they are thinking about the risk and how do they um work with AI in a collaborative manner, bringing out the best of the tools, but doing it in a safe way. Um I would say shadow AI is talked a lot these days, but um, the bigger point is that you know, we're not talking about uh when you talk about security risk, it's not just about being hacked in the traditional sense anymore, because a lot of AI risk today comes from how people use AI in uh invisible, in the ungoverned ways. So I would say just very basic level, because this podcast is about AI made simple. Someone pasting you know confidential data into an AI tool, someone uploading a contract for summarization, someone that's using AI to analyze customer information. Or if you're using it to connect a third-party plugin or an agent without realizing the permissions that you know all these tools have been given. Or there's a lot of these cases where people are using AI-generated content without verifying if it's accurate. So the way I usually think about it is um there are quite a few risks that keep showing up again and again. So if you think about it at high level, one is I mentioned already, like shadow AI, the tools are just being used without the organization really knowing. The second one would be data leakage, where sensitive business or customer information goes into the tools that have not been accessed. And then there is the overtrusting as well of the output because AI can sound very confident even when it's wrong. And increasingly, there is also the risk around third-party tools and the agents, especially when you're connected to emails, documents, systems, code bases, or workflows. So that is what makes AI risk quite tricky. And it doesn't always look like a security incident at the start. So sometimes it can just look like someone trying to get through their work faster and trying to be more productive, and because of that, they overlook a lot of risks that come with it.
SPEAKER_00Do you have any examples of what went wrong in the companies that ignored these risks or maybe did not have the guidelines in place, did not educate enough their employees? Yeah, that there are quite a lot of these examples.
SPEAKER_01It usually starts with, it doesn't start with the wrong intention. Most of them, you know, their employees have good intention and they're trying to use it to increase their productivity or automate certain things. And because they give too much control to those AI agents, it ends up wiping off all their data unnecessarily, uh, or sends out emails that doesn't um sound like them and is not meant to be sent out to those uh could be customers or partners they work with. So there are too many cases like that, and you know, in a way that's quite concerning as well because it keeps growing and growing, and we are finding um that to be a common conversation these days. So I think for me, like if I would have just summarize maybe the key things that I'm seeing, I I do see two extremes right now. So there is like one sort of organization that falls in a bucket where I would say you use like the yay or the nay. So there is uh one organization that that, sorry, some organizations that are yay, you know, too fast. They rush into AI adoption because everyone is so excited about not just productivity, but speed and the competitive advantage that they want to gain. But they did not bring governance, security, privacy, legal, accountability into those conversations early enough. So the the trick is like you have to start this conversation right at the beginning, not only at the end. And then on the other side, you see some organizations are nay, too fast. They shut everything down immediately into like just de-risking everything. But in doing so, they miss the opportunity to learn, to build, and to even enhance their capability and guide their people properly. So I understand why both reactions would happen. Leaders would either want to move very quickly because they see the opportunity or because they they might want to shut it down because they see the risk. But I think the real work that needs to happen is also to help people with those who are in somewhere in the middle. Um they're adopting AI with enough intention, structure, and accountability. Because I would say AI doesn't just create capability, it actually magnifies what already exists. So if an organization um already has weak governance or unclear ownership or siloed decision making or just poor data habits and unclear accountability, then AI will really expose and amplify that even more.
SPEAKER_00So essentially, what you're saying is that the golden middle is you allow your employees, your people to experiment with those tools, but do it not in a sandbox, but with those guardrails. So we give you this uh governance or this policy everybody's aware of. And inside of this guardrails, you can experiment and build and uh your agents.
SPEAKER_01Yeah, I think also we need to think about um, yeah, we want to make it safe for them to be able to use it in a confident manner. I mean, but nothing's too safe uh at the end of the day. But I think we have to think about what happens if, let's say, if there's an AI assisted response that gives a customer wrong advice, who is going to own that decision? Is it an employee who used it, the business unit that approved the process, or the organization that allowed the workflow to go live? So this is where many organizations are not prepared. They're asking, like, how do we use AI faster? before asking, you know, where should AI be used, um, who's accountable, and what should never be outsourced to AI. So those thinking processes as well need to be already considered beforehand so it's clear for people to know how they can operate within that.
SPEAKER_00You already mentioned then also necessity to provide AI literacy trainings or to make sure that people understand the risks from your experience, from the companies you work with. Is the topic of security and risks addressed enough? Is everybody really understands it? What risks does it have if I upload my skill, for example, from the internet?
SPEAKER_01Yeah, I'm I'm smiling because that's a lot of cyber leaders, it's a battle for them as well because uh they have the same mission to empower organizations to understand risk better and uh how can they work with them in a in a smarter way, I would say. But you will see like the companies that are approaching this more maturely are not necessarily the ones with the most tools. They are the ones actually where the leadership has set a tone already. The teams are not left to interpret on their own on how to use AI. So at a simple level, they are asking, I would say, the top three things that need to be asked is where is AI being used, what data is going into it, and what decisions or workflows is it influencing. So the more forward-looking organization would be able to create structure, process, education for people to use AI with confidence. One big thing when it comes to like security, right? A lot of organizations do um it's a it's a challenge for them to know where their data really sits. So AI does at another layer. And and now everyone needs to try to understand where AI is showing up in the business and how it is changing the way people work. Good governance shouldn't just be a department of no, because every time you just say no, it's just people will find a way around it. But if you do good governance well, then it gives people clearer boundaries so they can actually move faster with confidence.
SPEAKER_00Shammain, in your book, Building a Cyber Resilient Business, you argue that security can't just sit in the IT department. It has to be embedded across the whole business. Now every department is using AI. So where are the biggest risks coming from, and how do you see this as a shared responsibility? Yeah, that's a very good question.
SPEAKER_01Because for a long time as well, the same journey has been trying to get different departments on the same journey and understanding and supporting the same mission of how security should be it's a cyber risk. If you want to become resilient as an organization, it takes it's a team sport. It takes all the different leaders across different departments and divisions to really work together and champion it as well. So, likewise for AI, you know, when every department is not adopting AI, that really becomes even more important. And every department needs a basic level of security, privacy, and accountability awareness. The risk is also spread out now, so it's not definitely not sitting in just one department. To give you an example, like HR, they might be using, and we are seeing them use AI across recruitment, employee information. They are finding ways as well to um identify new skills that are required in the AI era. So they are using AI in another level. What about legal and finance? They would be working with contracts, forecasts, sensitive business data, sales and marketing as well. They might be putting uh customer insights or working with AI using like their proposals or campaign plans into the AI tools. So each of them looks good on the surface, but the data involved could be quite sensitive. So definitely helps to have maybe likewise what we're doing with cybersecurity, having AI AI champions inside the different business functions where they can advocate for responsible AI. The good thing is that they understand the context of their own department and they can help translate the security and governance principles into everyday decisions. So now cyber resilience has to become part of how the business operates and not something that IT comes in to clean up later. And the same thing should follow for AI.
SPEAKER_00And when we talk about governance, because these tools evolve so fast, for example, ChatGPT recently launched workspace agents and skills as well as Gemini of Enterprise. There are agents now, and of course, Claude with cowork, Claude Code. Many companies are feeling lost. Now we have to rewrite our AI policy, and then look, maybe in one year there will be agent teams orchestrating agent teams. How can you keep your AI policy or the governance that you build around these tools up to date because it's changing so quickly?
SPEAKER_01I would say you cannot do it alone because it's very dependent on what you know, you know, uh obviously what the organization's context and things like that. But it helps to be part of whether it's committees or being involved in communities as well that are actively doing a lot of research and discovery and understanding of those spaces because that's one of the fastest ways to grow together. So, for example, there's like a global responsible AI council that's been formed. And then you know, you're when you're part of that group, you see the different movements of other countries, new regulations that have been put in place, what other countries are doing, what top organizations are doing, and those cascade down as well to the rest of the it's not just public sector, but across private sector as well, because you can learn from public and private sector. I always think that they can collaborate more and learn from each other, and you see a lot of benefits from there. So that that would be a good way as well to help upskill faster and keep on top of what are the you know good ways to go about it and incorporate that into your own organization too.
SPEAKER_00If you could sit down with a business leader listening to this episode and give them one piece of advice about AI and cybersecurity, one thing they have to do this week, what would that be?
SPEAKER_01Yes, that's a great question because there's a lot of things that business leaders can do. There's a lot of advice, there's different priorities, but I would say maybe start with something really simple. You know, I will ask every business leader to find out how their people are actually using AI in their organization. So, not how they think people are using it, but how the people are really using it. And then, you know, just ask your departments things like what AI tools are you using, what kind of work are you using them for, and what data are you putting into those tools? Because once the leaders have the visibility, it helps them make better decisions about gut rails, training or governance and accountability.
SPEAKER_00Thank you so much. Uh Shameen, I have two fireside questions. So very quick ones. First one is what's one AI tool that you personally cannot live without right now? And how do you use it? Wow, okay. I have a favorite. No, I have three favorites.
SPEAKER_01So it's quite hard. Just one. You're allowed to just speak one. I will also lovable because uh yeah, it's it's so fascinating to really do some vibe coding, and then it pushes the boundaries of what you can traditionally build with just your developer skills, programming skills, versus being able to speak the words and then form the architecture of it, and then using AI agents to help you do the uh build out, and you get to see a lot of great proof of concepts coming to life in that way, and helps you to be even more creative with what you want to build.
SPEAKER_00Can you share like what did you build where you were proud of yourself using Lava Ball?
SPEAKER_01I did build a lot of different things because it was part of learning as well and challenging yourself. Like, for example, a lot of people use LinkedIn to share, you know, their profile, their thoughts. But I thought it would be interesting to audit your profile and see how you score in terms of um are you being able to share the messaging in the right way with people and especially with your community. Does it send the right signals based on your profile? So it came out of a way just to audit your LinkedIn profile and automate that and comes out with cool reports and you're able to collaborate with the two to help yeah, churn out the outcome in a really fast manner.
SPEAKER_00I think I did one of those that you were sharing maybe with with some birds or something like this, where you were like a character, like a LinkedIn character based on your posts and based on your profile. That was very fun. That's a different one.
SPEAKER_01That was on personalities. So again, I that's I feel like it's helpful people understand the different personalities or stakeholders they have to work with better. And more importantly, you need to understand how you're communicating and maybe what kind of um people you're able to speak to based on the personality you are and also their personality. So coming out of an assessment and a way to bring in the this, you know, D I S C um assessment together with a lot of other behavioral assessments and putting that together to come up with a fun, fun outcome of like what bird are you bird are you? Adult personality. Yeah. So that was another example.
SPEAKER_00Yeah, it was a great one. And one more question: what skill do you think will become more valuable as AI gets better? Everybody now is talking about future skills and future-proofing oneself. So, what do you think is just one skill that will be irreplaceable in the coming years?
SPEAKER_01That's a very great question because it's so topical right now. If I give a quick analogy, which has helped me also, is you know, when we look at, I think of AI like a horse, because we're in the year of a horse, according to the Asian year. And you know, it's very hard to outrun the horse and we can never overtake them. However, if we get on the horse and we ride it, we can go further together. So the way I see it is it's a great skill if we can learn how to work with AI better and understand it better and bring in our human judgment because together it can be a very powerful way of uh going ahead and you know not leaving people behind. We we definitely need that skill today.
SPEAKER_00Thank you so much. Thank you for sharing all of the insights and taking the time. Thank you so much for having me. You can find Xiamain Tan on LinkedIn and learn more about her work at AMBE. All links are in the show notes. If you enjoyed this episode, follow AI Made Simple, the transformation series, for more conversations with practitioners shaping how AI is actually adopted inside organizations. Thanks for listening.