A CISO POV: Securing AI in your company
How much adoption are you seeing in the security team today, and how much AI is under the hood of the products most organizations have deployed? Also, please address the bootlegs in your comments under SBOM.
How much adoption are you seeing in the security team today, and how much AI is under the hood of the products most organizations have deployed? Also, please address the bootlegs in your comments under SBOM.
Many security companies have integrated machine learning and robotic process automation (RPA) into their tools. When AI hit the mainstream media, all of a sudden, ML and RPA became AI. It didn’t help that many governing bodies blended ML and AI together, which complicated things a bit for us in security.
How much is there? More than we think, but less than the vendors say. We’re going to solve this with the mandates for SBOMs (software bill of materials), which will move us from fiction to fact. What we can’t lose sight of in all the noise of AI is that if we’re using it, so are the threat actors.
Using AI in social engineering will blow the top off our methods for authorization and authentication. What has been the silver bullet called ZTNA (Zero Trust) won’t mean a thing if the threat actors keep moving at the pace they are.
Most security teams are skeptical about coloring outside the lines regarding the bootlegs. So, using AI without proper approval and thinking shouldn’t be a problem. However, it’s an opportunity to work with startup companies in a design partnership to move faster with AI capabilities to solve real problems.
Regarding CISOs managing AI use, CISOs need to be part of a cross-functional team of leaders in a company that lays out guidance for employees. A governance framework and an inventory of existing AI use should be developed. You don’t want to stifle innovation, so you must develop a safe environment for innovators to work. CISOs cannot be the only decision-makers in the usage of AI.
I also am not a believer in creating different policies for tech adoption. If your policies and control framework follow an industry standard, then it doesn’t matter what tech you adopt. Monitoring standards bodies like NIST are a must for CISOs to keep their organizations following some framework.
Lastly, what do you think CISOs are missing?
Many CISOs are missing a mindset for innovation. With their overloaded work, adding the complexities of AI seems overwhelming. So, the quick reaction to that is to stifle innovation. I’ve seen that lead to many CISOs blocking and banning the use of AI. That’s the fastest way to get shown the door in that role. Embrace it because it’s not going anywhere.
The bottom line
I hope you’ve gained insights and knowledge from what Patricia shared above. As a leading voice in security, Patricia speaks with authority. She is in the trenches of data, cloud, and security and is at the forefront of understanding AI’s impact. She sees the landscape and knows what CISOs deal with on a daily basis.
As you can see, there are obstacles to implementing AI in any organization, but there are also common-sense strategies that can work. The bottom line is to move swiftly but carefully, maintain focus, and implement a well-thought-out plan.
About Author
