In the fifth episode of the Hack & Tell podcast, we sat down with Linda Dögg Guðmundsdóttir, better known in the tech community as The Icelandic Cloud Queen.
Currently working as an AI solutions expert at KPMG in Reykjavík, Linda is also the first woman in Iceland to earn the prestigious Microsoft MVP (Most Valuable Professional) title. In our chat, Linda shared her story of going from art school to learn photography to later pursuing system administration. We then dive right into the real risks of "shadow AI," and why the rollout of AI tools like Microsoft Copilot is finally forcing C-suite executives to actually care about data governance.
For a lot of people in tech, personal branding feels a bit secondary, maybe even a little cringy. But for Linda, it was a strategic move to get her name out there and bridge the gap between knowing the tech stuff and teaching it to society.
To become a Microsoft MVP, you have to be highly active in the community. You have to show up as a speaker, write blogs, and be active on LinkedIn to teach others what you know.
As to why she chose the name “Icelandic Cloud Queen”, Linda says:
To fix that, she actually used ChatGPT and Copilot to generate about 50 different name options. Then, she let her husband pick the winner. "To get him invested in it, right?"
Linda admits that in cybersecurity and IT, you usually see very dry, corporate titles, so stepping out with a name like that requires a bit of a strong ego, or at least a healthy dose of "fake it till you make it." Even if it feels a little cringy to say out loud sometimes, it's just part of the game to get the knowledge out there.
So, what does being an MVP actually mean? It means you’ve proven over at least the last 12 months that you're not just highly skilled at what you do, but that you’re enthusiastic about sharing that knowledge. It’s about building up a community, not just being the lone specialist locked in a room.
It’s something you do entirely on your own time. It’s driven by a genuine interest in the tech, not because the company you work for is forcing you to do it. To even get into the application process, you have to be nominated by an existing MVP or a Microsoft employee. From there, they review everything you’ve done over the year to see if you make the cut.
Being highly competitive, Linda went after it and got it. Her career path reflects that drive—moving from local Icelandic IT companies like Origo to the global scene at KPMG, where the scale of the work changes completely.
Having experience working in both Iceland and the wider Nordic region highlighted a major contrast for Linda in how cybersecurity is handled.
Iceland is basically a miniature version of a well-developed market. The country only has three big banks, a handful of large production companies, and a lot of small-to-medium businesses (SMBs) with 300 users or less. Because the ecosystem is so small, local companies often just don't have the funding to truly enhance their security. They end up acting like "first-time buyers." They purchase a security solution because they know they need it, but lack the deep resources to back it up.
On the global scene, the scale is humongous. A security project that might take six weeks for a small local company can easily take two years at a global corporation. Global clients have the budget to go into immense, granular detail.
For a growing tech specialist, a small market also presents a bottleneck. Once you reach a point where you know a lot about a specific area, it becomes incredibly difficult to find anyone locally who can teach you something new. To keep growing, you eventually have to look abroad.
Linda recently gave a talk at Ský titled "Copilot Leaders versus Copilot Guessers," which zeroes in on how companies are handling the sudden rush to adopt AI solutions.
The biggest takeaway
AI adoption is a business project, not an IT project. A lot of companies think they can just treat it like a technical implementation. But it actually requires the C-level to step up, look at their strategy, and decide exactly what they want to invest their money in. You have to figure out why you are buying the solution in the first place.
Assuming their data is secure and that they’re simply "ready" for AI. Right now, so many companies are just buying Copilot licenses, turning them on, and hoping for the best. Then, they almost immediately have to roll the whole thing back because they realize they have massive data leakage happening within the company. They are guessing because they don't actually know where their data is.
The Reality of AI Risks: Hallucinations and Bad Data
If we look at how people are using these tools right now, the threats are already here. Two of the biggest issues companies face are model hallucinations and poor-quality legacy data.
We used to talk a lot about Shadow IT, but now we're seeing the rise of Shadow AI. With employees now able to easily build their own custom Copilot (or any other AI) agents, a whole new risk layer emerges.
Every single AI agent an employee creates needs an identity and proper governance. If anyone can create unlimited agents, you’ll suddenly end up with a company flooded with them. If those employees leave the organization, how do you track which agents are still running, what they’re doing, or if they’re even useful anymore? It completely blows up the attack surface if it isn't controlled.
Is it actually possible to have good governance over all of this? Yes, it absolutely is. Linda breaks down how she helps companies tackle this through a practical, workshop-driven approach.
For every single tool or solution you use, you have to clearly decide who the business owner is and who the technical owner is. This kind of accountability is severely lacking in most companies right now, but it's the first thing you need to establish before launching an AI journey.
When Linda goes into companies, she runs workshops with key employees from each division to look at what they do every day. They look for bottlenecks and opportunities for automation. This includes reviewing job applications or managing grant requests where an agent can read the file, check for missing info, and automate the back-and-forth.
But a critical part of this is realizing that AI isn't a magic band-aid. Sometimes, the way a team does things is the actual problem. Putting AI on top of a broken workflow won't fix it. She points out that sometimes you just need to update the process or use a different tool entirely.
You can't just let everyone run wild with tools like Copilot Studio. Everyone can use basic personal agent builders, but for broader corporate tools, you have to limit access.
Linda recommends using premium licensing platforms to create automated guardrails. For example, if an everyday user tries to create an agent using the Power Platform, the system can automatically direct them into a safe, isolated sandbox environment. Meanwhile, an experienced developer who knows what they're doing can work without those tight constraints.
When you look at security, it often depends on whether you're building something internal or customer-facing. Right now, most companies are strictly focusing inward because customer-facing AI opens up a massive can of worms regarding spamming and exploitation.
For internal security, Copilot simply uses the rules and environment you already have in place. If you have Multi-Factor Authentication (MFA) and conditional access policies set up, you can block a user from using Copilot if they are flagged as a risky user.
Beyond that, you have to secure the data itself using tools like Microsoft Purview to create sensitivity labels and data loss policies.
Microsoft Purview helps organizations classify and protect sensitive data, such as social security numbers or highly confidential executive files. When sensitivity labels, DLP policies and access controls are properly configured, they can reduce the risk of Copilot surfacing or using information in ways it shouldn’t. It does not replace good data governance, but it gives companies the controls they need to make AI adoption safer.
An honest truth about cybersecurity is that most startup and early-stage companies don't have the funding to make everything perfectly secure from the ground up. They spend all their money developing the product, building on a shaky foundation, and hoping they can go back and fix the security before it becomes unmanageable.
And in reality, many C-level executives don't naturally care about cybersecurity all that much. They care because they have to, or because it represents an abstract risk. But they are mostly reactive in their approach. If it isn't an active threat right now, it isn't a priority.
But Linda saw a massive shift the moment Copilot entered the picture. Why? Because it suddenly made data security incredibly personal.
With new regulatory frameworks like NIS2 and DORA coming into full swing, executives are also facing personal and legal liability. This is driving a major rise in companies looking into cyber insurance. To lower those insurance premiums, they are finally being pushed to take actual action.
The worry, of course, is that many companies will still just look for ways to do the bare minimum. They’ll treat mandatory pentesting and physical security audits as a checklist item rather than a way to become genuinely secure. But the conversation is undeniably moving into the boardroom.
When asked about the next big thing in cloud security, Linda's perspective is simple: "We just go with the flow."
The industry is evolving so blindingly fast that it can be incredibly stressful. When you realize that almost anything can be broken or hacked, it’s easy to worry. With AI, bad actors can now run security testing and find vulnerabilities at a terrifyingly fast pace. While we might have had a day or two to patch a major vulnerability in the past, AI agents mean attacks can happen almost instantly.
Because the threats are evolving just as fast as the tech, Linda believes small markets like Iceland need to shift their mindset away from standard corporate competition and toward collective defense.
"We are so small that we should rather just focus on helping each other, making everything secure instead of competition, because we have so few specialists," she says. "There's enough projects for everyone."
Whether it's the government stepping in to establish a council of top specialists from different MSPs to share best practices, or creating funding pools to help underfunded companies get secure, sharing knowledge is the ultimate way forward.
AI is here, employees are already using it, and corporate data is being leaked all over the place by companies waiting too long to act. The best thing leaders can do right now is accept that reality, pick the right secure tools, clean up their internal data permissions, and keep moving forward.
Watch the full episode below:
Or find it on Spotify.
Thank you, Linda, for sharing your vision and expertise with us.