Last week, I attended a very interesting discussion with profession fellows and friends about AI and Cybersecurity. Thanks a lot to Deloitte, Cinco Días and Diego Barcena Alvarez for the opportunity to be part of this; thanks to the other CISOs in the call: Javier Zapata Victori (Quirónsalud), Roberto Baratta Martinez (ABANCA) and Pablo R. (Naturgy); thanks to Manel Carpio and Andreu Bravo, CISSP/CISM from Deloitte for facilitating this discussion. The full publication can be read here: https://lnkd.in/dXv2Mva7
My key takeaways:
👉 AI (especialy GenAI) as a clear opportunity and unavoidable disruptor for every industry. 4 mainstream use patterns were discussed:
1) Consume 3rd party AI solutions and assistants
2) Build your own AI platform
3) Defend with AI
4) Be attacked with AI
👉 AI is also an opportunity and disruptor for Infosec teams. There are a number of Security challenges with AI, among others:
- AI misuse: Shadow AI (non-sanctioned use of AI) can lead (and has led) many organizations to unintentional data breaches, sometimes exposing regulated / confidential information
- AI augmenting Cyberattacks: deep fakes and AI-powered phishing for social engineering and AI-crafted malware and exploits are growing
- AI as a target of attacks: from training data poisoning, to attacks against the AI platform itself, AI is a new crown jewel to protect for organizations
- Increased supply chain exposure: as supply chain partners use AI as well, their AI could be breached. Also their use of your information to potentially feed their AI models is subject to contractual discussions
👉 Opportunities for Infosec include the use of AI to augment the current Cybersecurity capabilities. Although AI has been used in many Cybersecurity products and solutions for years, next gen AI will definitely boost their evolution. SOC and SOAR area example areas where AI is expected to thrive. Basically AIs fighting AIs.
👉 Solutions come from 3 pillars:
- AI Governance: new roles and responsibilities need to be put in place to cater for the proper (legal, compliant, secure and ethical) use of AI within each organization. Ownership should be allocated to a CAIO (Chief AI Officer) role, which in many cases will be allocated an already existing executive, whose placement could vary depending on the vertical.
- AI protection: AI systems are just systems at the end of the day. While Infosec teams have the knowledge and the tools to protect systems, the threat model for certain AI systems is complex, and so can be the solutions to protect them (and make them compliant). Security awareness is also a key asset in this regard.
- AI compliance: from a regulatory compliance standpoint, in order to set a regulatory baseline, the upcoming EU AI Act will foster a framework aimed at regulating the deployment and usage of AI within the EU. It will be effective August 2024.
