S5E7: Standards, Spyware, and $10 per iPhone

"Complexity is the biggest enemy of security."

Janne Uusilehto, a veteran who has led security and privacy engineering at Nokia, Microsoft, and Google, joins the podcast to peel back the curtain on the hidden world of cybersecurity standards.

He reveals why industry rivals, like the original mobile phone giants, agreed to rules that ultimately generated massive passive income to intellectual property owners, and how this collaboration actually accelerates innovation.

We discuss the emerging threats that keep security leaders up at night, including AI-driven polymorphic attacks and the risks hidden in the code supply chain. Finally, Uusilehto offers his candid take on geopolitics and tech policy, arguing that over-regulation in places like the EU risks stifling necessary innovation.

Tune in to understand why investing in people is more critical than investing in tools, and how the rules you never see are securing the digital world you live in.

petra--_1_10-01-2025_150352: [00:00:00] My guest today is Janne Uusilehto, a pioneer in cybersecurity and privacy engineering. Over the past 20 years, Janne Uusilehto has led security and privacy at companies like Nokia, Microsoft, and Google, where he helped design privacy systems that protect billions of users. He's also been at the Center of Global standardization efforts, bringing together competitors to agree on common rules for mobile security.

petra--_1_10-01-2025_150352: No small feed. Beyond industry. Janne Uusilehto has advised governments to the EU and even NATO on how to keep our digital world secure. Today we'll talk about why standards matter, where cybersecurity is headed, and how tech policy and geopolitics are shaping the future of innovation. Welcome to the pockets.

janne-uusilehto_1_10-01-2025_090352: Thanks. My pleasure.

petra--_1_10-01-2025_150352: So, uh, let's start, uh, by, you have been at the heart of [00:01:00] cybersecurity for more than two decades, from Nokia to Google, and you've helped set and drive global standards. Standards are one of two of my pet peeves that many people find strange. The other one is forklift trucks. So I have a fairly good understanding of what they are and why they are needed.

petra--_1_10-01-2025_150352: But for someone outside of this field, why should they care about standards and standardized cybersecurity in particular, how does this really affect everyday life?

janne-uusilehto_1_10-01-2025_090352: Hmm, that's a good question. I'm sure what sexy I can, uh, answer to this, but maybe I, I go for more, more generic terms. Um, I think for the security professionals especially, uh, standards are giving like a peace of mind a little bit because they actually, uh, give more possibilities to improve the security in general, like the, the security system design is benefiting from standards and it, it [00:02:00] usually happens through that. Security standards are well tested, they are transparent. They're often updated and, and, um, that helps to simplify the system. Like the one really general rule in security is, is a complexity is the biggest enemy of security. Like more

petra--_1_10-01-2025_150352: Hmm.

janne-uusilehto_1_10-01-2025_090352: system is more probabilities, has vulnerabilities and troubles,

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: and therefore, like, you know, in a really high level, I could say that uh, if you use standardized security, you are already on a good track.

petra--_1_10-01-2025_150352: it's a bit like I had a guest on AI regulation and she was saying when people are saying, oh, the regulation is stifling innovation, she was saying No, it's actually the opposite. Because once you have the regulation, once you have the rules, uh, it's predictable and people can just, uh, you know, implement those rules and it actually helps them innovate.

petra--_1_10-01-2025_150352: It doesn't prevent innovation.

janne-uusilehto_1_10-01-2025_090352: Yeah, that's the positive side of regulation.

petra--_1_10-01-2025_150352: Cool. Okay. Uh, so [00:03:00] let's continue on standardization. Uh, one of my favorite stories about standards, and I'm not telling you who told me this, uh, you probably know him, has to do with Nokia. Uh, our listeners may remember that in the early days of cellular networks and mobile phones, it was basically Nokia, Ericsson, and Motorola who are creating all of the enabling technologies.

petra--_1_10-01-2025_150352: And they had the foresight to inject their essential patents to the 2 3, 2 G, 3G, 4G, 5G. Now even six G standards, which means that anyone making 5G phones today, including Apple and Samsung. Have to pay a hefty fee to these companies. And I heard a rumor that Nokia could make up to $10 per each iPhone sold, which is just amazing.

petra--_1_10-01-2025_150352: I mean, just think about the number of iPhones and uh, multiply that by 10 so a company can sit back and watch money flow in like a passive income for a company because they were smart about it 20 years ago. [00:04:00] So I'm always thinking that people are trying to sell standardization to companies in the wrong way.

petra--_1_10-01-2025_150352: And often it's the government, uh, you know, it's the bureaucrats who are telling companies, you know, you should go to standardization because then you can contribute to the standards. But instead they should be saying that you should go to standardization because you can benefit from that. You will actually be making money.

petra--_1_10-01-2025_150352: So, Yanni, you let the cybersecurity standardization at Nokia. And in that role you made industry competitors agree. And I was actually there with you at TCG, so we had, uh, our fierce competitors there, but you made them agree on shared mobile security standards, something that sounds almost impossible. So build on my example of the telecom standard and explain to our listeners why our standards so critical in technology and what did it take to get those rivals to work together.

janne-uusilehto_1_10-01-2025_090352: Hmm. Yeah, I, I can't really, um, confirm or deny Nokia's business [00:05:00] models or what they get from, from the standards. But yes, there's a potential that when you get your, uh, ideas s uh, standardized and have a like essential patent, uh, there as a part of the standard, uh, there is, uh, income, uh, made through that. whoever, like some of the standardization or industry fraud rooms, I've been working. They, they had these kind of IBR rules, which, um, kind of helps it reasonable. Like they, they have, uh, policies which say that, you know, if you have, um. Patents, uh, in scope of the standard, you have to share the information with the rest of the membership on that standardization forum. And then there's a agreement that you can't start, you know, just a patent troll and, and, uh, suck all the money from the business, from others. But you can, you must have a reasonable, uh, licensing

petra--_1_10-01-2025_150352: But some, some companies have tried, I think.

janne-uusilehto_1_10-01-2025_090352: I think there, there has

petra--_1_10-01-2025_150352: Yes.

janne-uusilehto_1_10-01-2025_090352: otherwise [00:06:00] nothing would been written in, in the

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: But that really is, is like, you know, makes sense because it's a lot of effort for any company to contribute standards. Like you, you and me know that we, we had to do a lot of meetings and like you said, gaining on, on consensus, uh, as a part of the meetings with the, the competition wasn't always like automation. I was a little bit lucky on, on, uh, my journey. Because, uh, when, when we started to standardize the, actually the methodology like industry best practices, but also the technologies, were so much ahead of the industry, especially in the, in the vendor side, like the, the device manufacturer side that, uh, after Nokia was kind of done on the ideas, others were still not even started. So when we went to, to propose these ideas that how things should be moving forward on the mobile. Um, systems. Others were actually open for new ideas like that.

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: okay. I didn't think about this before. So thanks for[00:07:00] 

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: And of course, they are still suspicious and they have their own patent portfolios and ideas, so it, it really didn't go like that.

janne-uusilehto_1_10-01-2025_090352: We are just sharing everything and everybody's happy.

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: But it's, um, it helped a lot that people were listening. They were willing to listen us and, and take, make their own take. On that and, and, uh, therefore, um, I didn't have to have like uphill battle on, on already existing billion ideas how to secure, secure mobile ecosystems. Um, other thing, what helped me, uh, was also that we were so early in, in Nokia that Nokia really didn't have much idea security should be treated after we went to the era of openness, because Nokia also had it. Dark, uh, passed of, of doing like proprietary security solutions in, uh, dark rooms and hiding everything.

petra--_1_10-01-2025_150352: Mm-hmm.

janne-uusilehto_1_10-01-2025_090352: we really started to do scale security, we started to use open standards, open platforms, [00:08:00] and secret keys. And that also helped us that, um, when, when we went to, to standardize this, um, um, of. Were able to share this. There was no resistance in Nokia. Like

petra--_1_10-01-2025_150352: I've seen some companies that

janne-uusilehto_1_10-01-2025_090352: that

petra--_1_10-01-2025_150352: they actually said,

janne-uusilehto_1_10-01-2025_090352: said that, no, no, you are not telling this to our competition.

petra--_1_10-01-2025_150352: yeah,

janne-uusilehto_1_10-01-2025_090352: And, and,

petra--_1_10-01-2025_150352: I this from

janne-uusilehto_1_10-01-2025_090352: from the financial industry. I used to work on the nineties

petra--_1_10-01-2025_150352: banks.

janne-uusilehto_1_10-01-2025_090352: banks and there was this kind of, I think it wasn't really written anywhere, but you know, there are these kind rules that security never is, is competitive advantage. You are not going out and saying that, oh, our service is more secure than

petra--_1_10-01-2025_150352: Ah,

janne-uusilehto_1_10-01-2025_090352: Because everybody is, is uh, potentially vulnerable. Um, but they just don't know it. And the other thing is that it's always industrywide. Like we have seen that if one, uh, mobile platform is having a lot of trouble, the whole industry getting trust hit anyway.

petra--_1_10-01-2025_150352: yeah.

janne-uusilehto_1_10-01-2025_090352: So that helped us a lot of, of [00:09:00] going out, share all the information we have and getting like alignment between the, the parties.

janne-uusilehto_1_10-01-2025_090352: And one example I, I still entertain myself is that Apple, which has been known to be quite secret on, on whatever they do. I was even invited to talk to Apple how to do

petra--_1_10-01-2025_150352: Wow.

janne-uusilehto_1_10-01-2025_090352: engineering and engineering practices.

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: And they were super open on that. Like I was really welcomed and they listened carefully. of course they didn't share anything afterwards because it's

petra--_1_10-01-2025_150352: And they, they were really not in the standardization forums back then.

janne-uusilehto_1_10-01-2025_090352: back then

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: no. Like they, they were having their own

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: started to, to build up the, the strategy when they realized that they can't really have proprietary technologies

petra--_1_10-01-2025_150352: Yeah,

janne-uusilehto_1_10-01-2025_090352: or everywhere all the time. So they have to have a like common. Uh, APIs as well and, and like sharing the, the mobile network with

petra--_1_10-01-2025_150352: yeah.

janne-uusilehto_1_10-01-2025_090352: but giving an example of a trusted computing group, I, I think that was really, really nice there that, uh, how to align the, the competition and different interests.

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: The key to me was [00:10:00] that everybody was willing to contribute to use cases.

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: Like when we started the, the technical specification, we started from use

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: and the use cases were like forward looking. Business enabling use cases, not just, okay, we are preventing this and that hack or attack, more like, um, we are enabling mobile payments. are enabling, uh, content protections, confidentiality, privacy, like looking positive side and listing what were our top desired enabled, uh, use cases by that standard that get everybody's buy in. Even the competition of, yeah, we should enable this in the mobile platforms. that really helped to align people.

janne-uusilehto_1_10-01-2025_090352: If we would've been just jumping in a technical specification, start writing how many bits and bytes we want to do, there would be a huge fight and years of fight and no

petra--_1_10-01-2025_150352: Yeah.

petra--_1_10-01-2025_150352: We're discussing cybersecurity and standardization with [00:11:00] Janne Uusilehto. We're going to take a small break, but we'll be back after this message. And we're back with Janne Uusilehto. Uh, let's continue to explore the fascinating world of security. Cyber threats often feel mysterious and abstract until they hit headlines and become real, like, uh, a ransomware attack shutting down hospitals or energy pipelines, or a hostile foreign government jamming the GPS signal in the neighboring country.

petra--_1_10-01-2025_150352: And actually, in fact, just this week, there was a story of the UK government announcing a 1.5 billion loan. Guarantee for Jaguar Land Rover because they were, uh, they were experiencing a disruptive cyber attack, uh, that that hit them. So this is really big stuff and uh, as the example shows, sometimes taxpayers, uh, need to, uh, put the bill.

petra--_1_10-01-2025_150352: So, Janne Uusilehto, from your perspective, what is the biggest challenge the world is facing when it comes to companies, [00:12:00] organizations, and government agencies protecting themselves?

janne-uusilehto_1_10-01-2025_090352: Hmm. I would probably divide my answer for two different pieces. One is like emerging issues. Other is that the good old bad things still are valid. And that start from the boring one because it's, you know, uh, the main thing there is that we still are suffering a lot on like simple things like social engineering. People are still talking too much, sharing too much, and, and when they see a interesting email or link, there are always somebody who's, you know, selecting the link and, and giving all the information out. And it, it's still a really, really common, uh, attack vector for, for many.

petra--_1_10-01-2025_150352: The other thing.

janne-uusilehto_1_10-01-2025_090352: thing is the, the nature of, of, uh, needed security is like in uneducated, um, management boards and, and business decision making. Money tends to flow for, um, um, on the lack of the better word, [00:13:00] security theater. Like, you know, um, companies are making like big certifications, big standard, uh, contributions, uh, on, on like, you know, uh, would I say getting certified and, and, and getting visible on that and a lot of, uh, resources and money for that effort. But engineering is lacking that resource. And the challenge is coming through that, when you are doing security system design, it's proactive work, which is mostly based on that you are expecting things to go wrong. You are assuming these are your critical assets and you are protecting them. And practically, if somebody doesn't understand the nature of the, the security, they can think that that's a speculation. you say it's gonna happen? But when you are showing that, okay, let's do this certification. There are all these, um, uh, consultancy companies, uh, lined up and telling how important it is to everything. It's so easy [00:14:00] to, to invest on that and make it visible, because of course, it's a business enabler as well.

janne-uusilehto_1_10-01-2025_090352: So I don't say the certification as standards are bad because they actually enable

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: They, they convince your customers that you have done something right. But, uh, the problem I'm trying to point out is that, um. They still are not everything. And, and the main topic there is that instead of only investing on, on tools, certification, and standards used, invest in people, people make the difference that if you have, um, highly skilled security professionals. Uh, they can, uh, they know where to invest. They know what tools to use, how to use those tools, how to automate and, and create systems. But this is like, you know, the old generic thing. I've been talking over decades because this is somehow like, um, yeah, my mantra. But, uh, the rising issues I still see like automated AI drive driven attacks.

petra--_1_10-01-2025_150352: That's something

janne-uusilehto_1_10-01-2025_090352: which is really contributing to discussion we had like a decade ago, that how we should [00:15:00] automate our response like security, instant response system response to the, the attacks because

petra--_1_10-01-2025_150352: AI is making.

janne-uusilehto_1_10-01-2025_090352: social engineering

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: it also makes, um. Um, polymorphic, uh, software development is here.

janne-uusilehto_1_10-01-2025_090352: Like when, when you have a a malware, it can change its form on its

petra--_1_10-01-2025_150352: Oh, wow.

janne-uusilehto_1_10-01-2025_090352: its approach on its way, depending what opportunities it's

petra--_1_10-01-2025_150352: out the

janne-uusilehto_1_10-01-2025_090352: of the system. that makes it way, way

petra--_1_10-01-2025_150352: system.

janne-uusilehto_1_10-01-2025_090352: Like it doesn't anymore require person in the other end to choose where to go, but the, the AI driven attack is actually driving itself through the systems. that, that's one really interesting thing. Uh, the other thing is like. chains are, are so long and it's so easy to, to rely on pieces of software from, uh, internet, uh, from what other sources. And nowadays, of course, AI is generating you wonderful set of code, which is,

petra--_1_10-01-2025_150352: Vibe coding.

janne-uusilehto_1_10-01-2025_090352: the yes, which is introducing a new set of, of, uh, risks that [00:16:00] who actually knows what happens inside the code.

janne-uusilehto_1_10-01-2025_090352: It has been always a problem, but now it's making it, it more, um, evident. the reason that, um, developers are not anymore developers. They are more like architects they are just slamming code in. And when it works, it's fine. Of course, security testing is playing a role here as well, but, uh, when the supply chain is long, you are not probably testing everything you get in Aries and libraries, et cetera, cetera.

janne-uusilehto_1_10-01-2025_090352: So it's, it's a really, really interesting thing. And lastly, I see the quantum computing there and, and many know I'm a quantum computing skeptic. But I still have healthy skepticism there I can't say, is it gonna happen is it not gonna happen? But because the risk is so

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: can't, you don't afford to not pay attention and see and follow what's going

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: And I think these are the, the three major, uh, rising issues at the moment. So to automate it attacks the AI driven attacks, the, the supply chain, uh, invisibility for the [00:17:00] software and code through the supply chain, and a AI generated code. and then, um, the, the quantum computing.

petra--_1_10-01-2025_150352: Yeah. Okay. Let's talk about quantum. Let's talk about tech policy and geopolitics. You, you have advised governments from the UK to China to nato, and you yourself have, uh, you've had an admirable career both in the Europe and in the us. So, uh, you are in New York. Are you a US citizen, by the way, or.

janne-uusilehto_1_10-01-2025_090352: I am Finn citizen and

petra--_1_10-01-2025_150352: And both.

petra--_1_10-01-2025_150352: Okay. So dual citizenship.

janne-uusilehto_1_10-01-2025_090352: only.

petra--_1_10-01-2025_150352: Okay. Excellent. Good track. Um, so, so geopolitics is, um, I am too. So, and it's, uh, it's a very tough situation that we have right now between, uh, the US and, and Europe on tech policy and other policy sides. Um. So technology is at the center of these geopolitics. There's data protection, data ownership, AI regulation.

petra--_1_10-01-2025_150352: We discussed the, um, [00:18:00] um, um, the ai, the European AI regulations. There's cybersecurity. I mentioned GPS. I'm currently representing Finland at the I-S-O-I-S-H-A-T C3 group. That's standardizes quantum technologies. And, uh, it's global. And I have to tell you, Jan, there is not always a lot of love in these rooms where you have China, Russia, Japan, South Korea, and the western countries, EU countries, all trying to get their view into the documents.

petra--_1_10-01-2025_150352: And some of these countries are really well organized, much better than, than some other countries. I'm not gonna name any names, but I'm sure you and, uh, the listeners can have an educated guess. So in your view, Jannet, what should governments, what should the role governments play here? I mean, there are so many aspects to think about this, the regulation aspect.

petra--_1_10-01-2025_150352: EU and and member states can mandate an existing standard. Like for example, we're, we're all using USBC chargers now. Uh, but they can also help companies in their country to come together and [00:19:00] work under a national strategy umbrella to push certain topics or certain technologies forward inside the standardization forums.

petra--_1_10-01-2025_150352: And, uh, countries could even fund domestic companies for doing the standardization work.

petra--_1_10-01-2025_150352: So what's your view?

janne-uusilehto_1_10-01-2025_090352: Um, if this is a, like, um, wish list, I feel like shopping

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: because now I'm talking to right person. So it's, it's a really nice to, to, to get my voice. Voice heard. Of course. There's lots of things over the years I've been thinking on how to. utilize this, how to make it, uh, good for all. And the

petra--_1_10-01-2025_150352: thing

janne-uusilehto_1_10-01-2025_090352: thing coming into mind,

petra--_1_10-01-2025_150352: is

janne-uusilehto_1_10-01-2025_090352: that, you know, the government's eu, um, whatever framework we, we

petra--_1_10-01-2025_150352: to have.

janne-uusilehto_1_10-01-2025_090352: they should really enable the collaboration.

janne-uusilehto_1_10-01-2025_090352: Like again, the learning from the past when I was, uh, doing these [00:20:00] security technologies and, and trying to get them globally accepted, was lots of, uh, so many conflicting ideas, like in, in one sense. the law enforcement and, and, um, let's say, um, prevention of the criminal activities. They really, really wanted to have a control over the, the encryption and, and like security and, and in, in some, uh, cases, even like a back doors to, to ruin the whole security. And the other, other side there was like. Um, interest, which are like, okay, let's protect our critical infrastructure, highest possible standard. and like, you know, inside the one government there can be a conflicting ideas and it was really,

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: to navigate in that space and get everybody agreed.

janne-uusilehto_1_10-01-2025_090352: So I, I feel you, when you are saying that getting these standards in place in addition to geopolitics, the AI is a huge control point in general. But yeah, for me, um, if I, I get to, to forget that complexity and, and focus on what they [00:21:00] should enable is that. they should work as an, uh, like a enabler or, or facilitator for industry to innovate, like building the vehicle where, uh, industry can innovate and build on top of the, the somehow aligned intent. But like, again, putting in simple terms like regulating technology is, is a super, um, hard and difficult area and even, uh, risky because if you start regulating technology. Without understanding the technology, you end up off the freedom of, of the developers and, and the, the real, uh, building the, the business.

janne-uusilehto_1_10-01-2025_090352: Like I see a risk that EU is regulating itself out of the

petra--_1_10-01-2025_150352: Okay.

janne-uusilehto_1_10-01-2025_090352: Like giving an example now, like we discussed that I'm living in New York. I see what kind of offering we have on, on, uh, AI and, and related items, uh, to our consumers. And when I. [00:22:00] Travel to Europe, I get blocked on most of those things just stop working.

janne-uusilehto_1_10-01-2025_090352: And I, I'm okay because, you know, I, I can, uh, expect it as a, as a consumer. But I would think how, uh, frustrating it's for the developer that all the developers in eu, they have to somehow wiggle themself in a US market and compete with the people who are developing software in the US or China or other regions, which are not so highly regulated in the eu. They have access for all the functionality they can test, they can run, they can pick consumers for the systems which are not even available in, in eu. And as you know, consumer experience is really on, on like, um, enable for innovations.

petra--_1_10-01-2025_150352: Hmm.

janne-uusilehto_1_10-01-2025_090352: when you're using system, you start getting ideas how it can be better. But if you don't even have access for the service, how it's possible. back to the

petra--_1_10-01-2025_150352: Like,

janne-uusilehto_1_10-01-2025_090352: like, yes, they should enable the collaboration between the companies and be like a lubricant on innovation[00:23:00] 

petra--_1_10-01-2025_150352: How to do.

janne-uusilehto_1_10-01-2025_090352: do it. It's probably case by case, but uh, blocking, uh, freedom of implementation. Uh, freedom of is, is probably not, um, the way it should be done. And other thing, um, has been long in my agenda as well, like early years of, of, uh, security. There really was a challenge that security was a bad business. Meaning that, uh, companies were not willing to invest for proactive security because customers didn't ask it. So nobody was asking you to do security until it was too late when the incident hits the fan and everybody's asking security, but it's kind of too

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: You should invest ahead of the time. And I, I've been, uh, since then thinking like. When there is this kind of emerging technology, uh, what is evidently

petra--_1_10-01-2025_150352: Future

janne-uusilehto_1_10-01-2025_090352: but it's not a good business at the moment, the government, the eu, they should actually

petra--_1_10-01-2025_150352: buy and.

janne-uusilehto_1_10-01-2025_090352: and utilize these systems even though it's more expensive than the ex existing [00:24:00] ones. But that's the, the best incentive for the, the business. When. You know, my sales VP sees that the competition company, uh, sales VPs announcing they just sold this wonderful system to the government with the big money,

petra--_1_10-01-2025_150352: Even though,

janne-uusilehto_1_10-01-2025_090352: though it was necessary today. But we all know it'll be necessary in future. I start investing proactively as well

petra--_1_10-01-2025_150352: yeah.

janne-uusilehto_1_10-01-2025_090352: I, I don't want to lose my market for that

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: and who is having that money?

janne-uusilehto_1_10-01-2025_090352: It's the government and eu, but they are now through the like subsidizing business and going. After those who are making most of the noise, where the danger is that like, again, seeing so much snake oil here,

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: there are really, really good salesman people who are selling, uh, technologies, which are not even existing yet, and the governments are funding research and science projects on those.

janne-uusilehto_1_10-01-2025_090352: But if, if our governments and EU are actually buying products which are overlooking technologies. Which [00:25:00] benefit, uh, the consumers and, and citizens of eu, the money goes the right way. It actually goes those who are doers, not the salespeople only or consultants, nothing bad with the consultants. They, they have their place in the ecosystem as well.

janne-uusilehto_1_10-01-2025_090352: But if you want to have some concrete ideas, I, I think these are the main ideas I coming into my mind immediately.

petra--_1_10-01-2025_150352: Amen. Here, here. Okay, we are coming to the end of our time here. Uh, one last question. You have, you've shaped standards. You have led security at some of the world's biggest tech companies. You have advised governments, and you have advised the world's most important security organizations now looking forward.

petra--_1_10-01-2025_150352: What excites you the most about the future, either personally or professionally? So what excites you? And then on a more serious note, what, what keeps you awake at night?

janne-uusilehto_1_10-01-2025_090352: Hmm. Uh, [00:26:00] nothing keeps me awake at night. On, on the negative side, which I'm happy. Maybe it comes through. The experience that you have seen always think stinks. Um, not perfect, but lately, like last 10 years, uh, I've seen and learned that

petra--_1_10-01-2025_150352: Gonna be okay.

janne-uusilehto_1_10-01-2025_090352: like, you know.

petra--_1_10-01-2025_150352: Start falling in the darkness

janne-uusilehto_1_10-01-2025_090352: but not even, or not, uh uh,

petra--_1_10-01-2025_150352: totally.

janne-uusilehto_1_10-01-2025_090352: and, and holistically. There always will be trouble because the human mind and like we discussed the investment photo, proactive security is always challenging to people who are not operating in the area of security.

petra--_1_10-01-2025_150352: Somehow. I'm not.

janne-uusilehto_1_10-01-2025_090352: not worrying my nights out, but uh, more positive note, like you said,

petra--_1_10-01-2025_150352: Sometimes I find myself, uh,

janne-uusilehto_1_10-01-2025_090352: um, too excited.

janne-uusilehto_1_10-01-2025_090352: Like when, when I'm working with some of the. The

petra--_1_10-01-2025_150352: companies.

janne-uusilehto_1_10-01-2025_090352: I'm helping to, with the security engineering, uh, privacy engineering and kind of compliance engineering efforts, see so much opportunities there. Like, it's so nice to see that, [00:27:00] um, so many companies, uh, are having way better tools that way better understanding like availability of technologies, tools, processes, and understanding is huge. So nowadays with a relatively small effort, you are able to put company on the right track. and when I see that in front of me, I get so excited because I always remember that struggle on, on like early 2000 when no matter what security, nobody needs s there is too much security here. Like why we are talking about this.

janne-uusilehto_1_10-01-2025_090352: Nobody's

petra--_1_10-01-2025_150352: Yeah.

janne-uusilehto_1_10-01-2025_090352: nowadays. People are aware it's there and they want to invest on it when you are putting the message right. And sometimes when, when I have a opportunity to talk, some of the companies. I find myself already waking up for him. Ah, today is the day that we can make the impact.

petra--_1_10-01-2025_150352: Oh, I love it.

janne-uusilehto_1_10-01-2025_090352: that, that's a, that's a really interesting thing.

janne-uusilehto_1_10-01-2025_090352: But of course on the negative side, if, if thinking like what worries is exactly this, like, you know, on the era of, of ransomware 3.0, which is this, uh, AI driven, [00:28:00] uh, automated attacks with the polymorphic, uh, software. And then, um, that area, is it like. It

petra--_1_10-01-2025_150352: Me

janne-uusilehto_1_10-01-2025_090352: me, but again, um, I've been advocating automated incident response and especially like systems, automated response to attacks over a decade.

janne-uusilehto_1_10-01-2025_090352: And, and when I started to think about this, there wasn't really any technologies available. It was really hard to, to get in

petra--_1_10-01-2025_150352: talking about this topic, how we.

janne-uusilehto_1_10-01-2025_090352: are we gonna do it? Like, I, I don't know, machine learning maybe. Of course machine learning is good for anomaly detection and, and DLP and, and things like that.

janne-uusilehto_1_10-01-2025_090352: But now. AI is helping us to, to harvest this huge amount of system data and, and finding the, the, the issues, but also generating settings and setups, uh, are then helping the, the automated risk process as well. Like one example of, of the potential are lately seen if you know a company called Valo ai, it's a kind of, uh, I think the RAF Finnish guys in [00:29:00] that company and they are. Building AI assisted, um, configurations. And I think that's one big building block that, you know, you can make actually a configuration based on the attack patterns. And, and there I see, like this is really getting me excited and, and I shouldn't think this after like 8:00 PM because otherwise I don't sleep the whole night because I'm envisioning it so

petra--_1_10-01-2025_150352: That's your coffee.

janne-uusilehto_1_10-01-2025_090352: maybe too long story for one, one simple question, but I, yeah. As you, as you can see, I'm getting excited on this.

petra--_1_10-01-2025_150352: Yes. I really loved your message that we're gonna be okay. It's very comforting. Alright, this has been Janne Uusilehto, a visionary strategist. A corporate builder, an industry-wide collaborator and diplomat, a people-centric leader and mentor, a hands-on technical expert and problem solver. And the innovator and proactive change agent.

petra--_1_10-01-2025_150352: [00:30:00] Agent. Thank you for coming to Deep Pocket.

janne-uusilehto_1_10-01-2025_090352: Thanks. It was great to be here. My pleasure.

​