Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.
May 23, 2023
6 Min Read
Brian Penny via Alamy Stock
The proliferation of artificial intelligence has sweeping implications at the individual and enterprise levels. The IBM Global AI Adoption Index 2022 found that 35% of companies are using AI and 42% of companies are exploring the use of AI. For chief information security officers, AI poses a lot of questions. How will the CISO role evolve in response to increasing availability and use of this technology?
The CISO Role Today
The top five functions that report to CISOs are security operations; governance, risk, and compliance; penetration testing; security architecture; and product or application security, according to the 2022 Global Chief Information Security Officer Survey from executive search company Heidrick & Struggles.
AI could impact every one of those functions. AI tools can be used to enhance an enterprise’s security operations. Risk and compliance are core considerations when adopting AI technology. And CISOs need to understand how AI in the hands of threat actors impacts the security of their enterprises and products.
Cybersecurity and the CISO role no longer operate in a silo, separate from enterprises’ core leadership. “The CISO/CIO role is becoming more of a strategic leader of your organization’s cybersecurity program, partnering with your organization’s board of directors to ensure the framework of your program is both approved and that they play an active role in the oversight,” Laura Smith, CIO and SVP of health care system UnityPoint Health, explains. In the Heidrick & Struggles CISO survey, 88% of respondents shared that they report to the full board or a committee at their organizations.
Vasu Kohli, CISO of cross-channel marketing platform Iterable, also sees AI driving the CISO role to become one of strategic focus. “This puts the CISO in an architect seat and pulls them out of the operational role, which they often find themselves plugged into,” he says.
“New and different technologies will come along, but the CISO’s main responsibility will remain the same: to understand and balance the challenges and benefits that come with these technologies, and to be ready to respond,” says Arvind Raman, senior vice president and CISO at cybersecurity company BlackBerry.
The CISO’s Team
The rise of AI has fueled speculation that teams and job roles will be radically reshaped. What does this potential mean for CISOs’ teams?
At data and analytics company LexisNexis Risk Solutions, Flavio Villanustre, global CISO, and his team are exploring the potential use of technologies like Azure OpenAI, ChatGPT, GitHub Copilot, and GPT-4 “to supplement and enhance our team of analysts and engineers.”
Tom Conklin, CISO of automated data movement platform Fivetran, and his team are in the early stages of leveraging AI tools, using the technology for brainstorming and other initial creative work. “We expect to expand this in the future to integrate AI into our daily operations,” he says.
He anticipates that AI could make entry and mid-level roles more efficient and, eventually, reduce the need for some positions. “You will need fewer entry positions and shift towards staffing senior roles that can do things like enable your AI defense tools to cover more systems,” he says.
Villanustre sees a future in which AI could take the lead on cybersecurity. “As AI becomes better at refining their answers and even creating exploratory threads (e.g., using technologies like auto-GPT, which stitches AI answers with new autogenerated queries to refine and improve over time), it is possible the scales could be tilted the other way and humans will become the assistants with AI taking control,” he explains.
While this may be the future of cybersecurity teams, CISOs need the talent to use this technology today and the oversight to ensure it is being leveraged in the right ways. “As a CISO, my role is protecting our company and keeping our employees safe and data secure. Working in partnership with our legal team, we’ve implemented an internal policy for how MongoDB employees can use generative AI (GAI) tools on their work laptops for personal and work purposes,” says Lena Smart, CISO of database platform MongoDB.
The use of AI goes beyond just a CISO’s direct team. It requires enterprise-wide collaboration. “Make sure that you have legal, HR, product, marketing, TechOps, security and GRC onboard and that everyone is aware of the CISO role in the new AI world,” Smart recommends.
A Double-Edged Sword
AI has the power to make a CISO’s job easier in some regards and more difficult in others. Their teams can access AI tools to improve cybersecurity. Security operations centers (SOCs) field thousands of alerts every single day. “AI can help with finding needles in the haystack and help free up some human resources for other duties,” Raman points out.
But threat actors, inevitably, have AI tools to power their attacks. “AI can help attackers impersonate an individual, write a perfect phishing email, and identify weaknesses in seconds. It can also help threat actors create more feature-rich, resilient malware software and novel attacks that humans would be hard pressed to develop,” Villanustre says.
As CISOs and their teams learn how to leverage AI to defend, so will threat actors learn how to use this technology to exploit vulnerabilities and attack. “This arms race will continue for the foreseeable future,” Conklin says.
Preparation for the Future
We have barely scratched the surface of AI’s potential, positive and negative. CISOs not only have to contend with the technology’s immediate impact, but they also must prepare for how it will shape their responsibilities in the future.
The first step to preparing for that future is staying informed. “Relevant news and product updates come out every day; it's truly an information deluge. So, as a CISO, I need to be making time to be curious and learn about new developments and think about how they can impact our security posture,” Smart says.
The CISO’s primary responsibility is “to determine how to balance the risks and the benefits of any innovative technologies,” Raman says. Once CISOs are armed with the latest knowledge on AI, determining what that means for their enterprises is the next step.
Do they prohibit the use of AI tools until the risks are fully understood? Do they openly encourage their enterprises to leverage the technology? Organizations are doing the former, the latter, and everything in between. What works for one CISO and one enterprise may not work for another.
Where is a practical place to begin leveraging AI? “A good place to start is to ensure your organization’s security framework contains the necessary controls to identify and mitigate risks for AI-based technology and systems as they are different than those used by more legacy applications,” Smith says.
The increased use of AI will be an ongoing responsibility for CISOs. How can they technology be used effectively and responsibly? How can the risks be mitigated internally and externally? The answers to those questions, just like the technology they concern, will continue to evolve.
What to Read Next:
About the Author(s)
You May Also Like