Starting at a security startup

In 2003, Mottay was offered a job in a small startup that specialised in creating security exploits for US government contractors, such as Raytheon and Northrup Gruman. “I was employee number seven.”

Security Innovation, as the company became known, developed proof-of-concept exploits to show how security vulnerabilities in software could be misused by hackers or bad actors if they were left unfixed.

It was a steep learning curve, says Mottay in an interview with Computer Weekly at a SANS cyber leaders summit in London. “For six months, I used to go home after work and study until 3am on how to create exploits, and I became pretty good.”

Two years later, she was asked to open a branch of the company in the Netherlands to develop exploits for European companies. The branch grew and was taken over by a larger company. Other security posts followed.

Making a switch to retail

After 10 years, Mottay changed direction, taking up a post as director of IT security at Dutch retailer Ahold, owner of the Albert Heijn supermarket chain. Soon after, Ahold merged with the Belgian multinational retailer Delhaize. By 2019, Mottay had risen to become its global CISO and vice-president for information security.

“We’re here to support the business and we’re here to enable, so we need to find ways to enable what the business ambition is, and I think that is how you build trust”

Florence Mottay, Zalando

“I quickly found out that stakeholder management and partnering with the business was the way to success,” she says. “I started building relationships.”

Ahold and Delhaize had similar history, culture and approaches to business, but their IT systems were different. When the companies came together, some IT systems were merged, and in other cases, each company kept its own distinct technology.

“For us in security, we found ways to secure whichever choice was made,” she says.

From vulnerabilities to fashion

In 2022, online fashion retailer Zalando was looking for someone to transform its security operations and made an approach.

Zalando had an “entrepreneurial spirit” and a focus on innovative digital technology that was instantly attractive to Mottay. “It was like, ‘Oh my god!’”

Her brief was to reposition cyber security from a vertical operation that sat alongside other business units in the organisation to a horizontal operation that runs through every part of Zalando.

For Mottay, it was back to building trusted relationships with her new team and the board. That meant finding ways to support the company’s objectives and to navigate around any security issues that arose rather than seeing them as blockages.

“We’re here to support the business and we’re here to enable, so we need to find ways to enable what the business ambition is, and I think that is how you build trust,” she says.

Mottay says she is fortunate that every business leader at Zalando has a good understanding of technology and cyber security. “It is unusual, but it’s actually quite exciting,” she says. “It’s very cool.”

Acting fast with AI

Managing security has become more of a challenge for CISOs like Mottay as GenAI begins to pose new challenges.

“If you think about ransomware, AI is an accelerator,” she says. “It makes attacks more accessible to people, and it makes them faster as well. So that means as a cyber security function, we have to be faster than ever before.”

When there is an attack, I understand how it was created. I can dive deep where I need to, thanks to my technical background

It’s more important than ever for organisations to have visibility of everything that is happening on their computer networks, she says.

Take the Log4j security vulnerability discovered in 2021, which exposed a wide range of applications across the enterprise to remote code execution attacks. The wide distribution of vulnerable software in cloud services and on-premise made it difficult for organisations to detect and patch.

“If you had a bill of materials, you could quickly see where all the instances that were vulnerable were and address them. So, it’s the same thinking – if something is going on, can we look and identify where we need to act as fast as possible?” she says.

Zalando is using AI to triage security alerts, but keeping on top of the threats requires “constant upskilling” of the security team and continual monitoring of threat intelligence.

Mottay’s experience developing exploits and studying vulnerabilities has stood her in good stead. “When there is an attack, I understand how it was created,” she says. “I can dive deep where I need to, thanks to my technical background.”

Adapting to the GenAI dynamic

At the same time, Mottay and her 100-strong security team are supporting Zalando’s ambitious generative AI programme.

Zalando began work on GenAI-powered shopping assistants to help its customers with their shopping soon after the launch of ChatGPT in late 2022.

Mottay was asked to help deal with some of the risks posed by AI, including bias, hallucination and misinformation, which fall outside the natural remit of IT security.

Some of the security team were already enthused by generative AI and had begun experimenting with it, so Mottay turned to them first.

“When I got the call, I went to them … and I said, ‘Hey guys, do you want to help? Do you want to partner? Let’s just do it’,” she says. “And so they started working with the business.”

There were some clear risks. For example, an AI system could agree to let customers return clothes for a refund even if they had worn them for several years. Or they could offer the same item at different prices to different people.

Mottay’s team assembled 80,000 prompts to train the model in a secure way. They classified each prompt into three categories: business-related enquiries about, for example, items for sale; non-business-related enquiries, such as an irrelevant question about ingredients for a recipe; and malicious enquiries, such as a request to run computer code.

The company launched its AI-powered Zalando fashion assistant in selected markets in 2024. The tool can answer questions such as: “I have been invited to a wedding in Barcelona, in October, and the reception starts in the church and finishes on the beach. I am struggling to find a good outfit. Could you suggest one for me?”

The next challenge will be how to manage the security of agentic AI, which in future will be able to perform automated tasks for customers and the company.

While it doesn’t make sense to control AI agents, which by definition have the ability to take action autonomously, Mottay is working with the company to develop overarching rules that will act as safeguards.

The rules will include ensuring that a human is accountable for each AI agent, ensuring that each agent has a clear mandate and that it does not have capabilities that go beyond its mandate, ensuring there is an audit trail of each agent’s actions, and making sure a human is always involved in any high-risk decisions.

“We are not perfect, but we have something good in place, and we are continuously improving. We are looking at agentic security and what we need to put in place to be ready when the business is ready,” she says.