The CISO’s Guide to AI: Embracing Innovation While Mitigating Risk
The chief information security officer (CISO) role has evolved over the last 20+ years. And believe it or not, it’s not because of the latest SEC regulations. The CISO role has always been about balancing progress with protection, even if we’ve not historically been amazing at it. We’re always being asked to do more with less; advancing business objectives while staying within budget. Managing risk in this type of environment is difficult, to say the least. Yet there may be hope on the horizon from an unlikely source. In fact, it comes in a form that some CISOs see as one of the riskiest they’ve encountered in their careers. Of course, I am talking about Artificial Intelligence. We have entered the AI age. From this point on, the delicate dance between innovation and risk mitigation will be even more complex. While AI promises groundbreaking solutions and increased efficiency, its nascent nature raises security, ethical, and moral concerns. Fear, however, cannot keep us from taking appropriate action. Blocking AI outright hinders innovation and puts companies at a competitive disadvantage in terms of both protection from adversaries and competition in business. The key lies in proactive, informed leadership. As a CISO, understanding AI and its risks is crucial to effectively managing its implementation and reaping its benefits, without putting the organization at risk. As a colleague of mine at Zscaler, Sean Cordero, has reminded me many times: AI is just one more technological advancement we must deal with. CISOs had the same uncertainty about developments like bring-your-own-device (BYOD) and cloud adoption, both of which are now common. It’s likely that AI will become ubiquitous, which means CISOs must know how to manage, guide, and lead AI’s adoption. Navigating the Landscape: Key Considerations for CISOs 1. Demystifying AI I tell my team not to work in fear, uncertainty, or doubt (FUD) about the new or unknown. When it comes to a new technological advancement like AI, we need to stop, learn, and absorb. We must gain a grasp of the basics. AI encompasses various techniques like machine learning, natural language processing, and computer vision. Each has its own risks. Familiarize yourself with the specific AI applications your company is exploring and their potential security implications. Whenever I’m evaluating solutions, I think to myself, “How can I get to yes?” What guardrails must be in place for me to be confident the initiative is proceeding in a managed way, not in the background as shadow IT without the confidence of the business. While building our technical knowledge, we also must research associated risks. 2. Understanding common risks I like to start with industry best-practices when identifying risks. For AI, I’ve found the OWASP AI/ML Top 10 to be a good starting point. The framework identifies the ten most critical risks associated with AI systems. It’s a valuable resource for understanding the attack surface and prioritizing mitigation strategies. Key areas of concern include: : Malicious actors injecting manipulated data to sway the AI’s output. Data poisoning : Extracting sensitive information from the AI model itself. Model inversion : Unintentional or deliberate misuse of personal data used to train the AI Privacy violations Thankfully, we’re not starting from scratch. Just like starting a security program, we can build around a framework that acts as a blueprint for what we’re building. It provides something to show (or “sell”) to executive staff and helps measure progress along the way. We can also look to see what regulations and guidance already exist for AI. After all, AI isn’t new. OpenAI (of ChatGPT fame) was founded back in December of 2015. 3. Understanding AI regulations