"AI is advancing at a breathtaking pace. CISOs have got to make sense of what it means for their business, its customers, and the infrastructure they protect." Explains James Henry, Crossword's Consulting Director. That means that it's time to start creating a "Generative AI Cyber Security Strategy".
Over the past year, the rise in the latest Generative AI platforms has been staggering, and has led to several large language models (LLMs) with chat interfaces such as ChatGPT, Llama and Bard. But Generative AI can also be exploited, with tools such as WormGPT and FraudGPT being used to create potential new threats. These tools and others are being used to great effect, with an impact that defenders are working hard to match.
As if the CISO and the wider security team didn’t have enough on their plate, deciding where Generative AI sits in the overall cyber mix is both a real challenge and opportunity. But one thing is for sure. CISOs can't afford to ignore it!
One of the main opportunities we’re hearing about is the potential for Generative AI to enhance, or in some cases, replace resources within the security team. We are consistently seeing teams who are overloaded with resource intensive, repetitive tasks and projects. These time sapping activities include such things as Continuous Monitoring, Threat intelligence, Vulnerability Management and Incident Response. There is a strong argument that AI could actually support security teams, and take on some of the routine, heavy lifting, freeing hard pressed teams to focus on higher value tasks.
Generative AI has huge potential to be used defensively to automate intensive security team tasks, allowing a team to be much more efficient and focussed on fixing, rather than just identifying vulnerabilities. These tools could even be used to automate specific tasks when a trigger is received, acting as an autonomous, intelligent security playbook. The opportunity for AI within the security team, as a partner, may well outweigh the threats. Unlike some who take a cynical or pessimistic view of the potential for Generative AI in the cyber security field, we are optimistic about its potential.
The role of AI beyond the security team, is one that many companies are grappling with, as they explore how it can create competitive advantage and improved efficiency. For the CISO this is an additional challenge. It extends the threat surface far beyond the traditional role of cybersecurity teams. The speed of adoption across companies and the potential for a wide variety of people across the business to suddenly have all-powerful tools to create code and models at the press of a button, is a real headache from a cyber security perspective.
Meanwhile, Regulators are working hard to draft legislation that will create protections and place requirements on AI-based solutions. The EU AI Act, passed in June 2023, is an early example, and other regions are legislating too. Wherever AI is employed, vendors and customers will need to stay on top of the latest regulatory requirements, particularly as there is much ongoing debate about the form legislation should take. For a company operating in different regions, AI legislation can be expected to differ across each jurisdiction.
As threat actors advance their AI skills, defence and security tools will need to keep up and ideally get ahead of the curve. CISOs that adopt a well thought out Generative AI Cyber Security Strategy will be more efficient in their operations and more effective in combating the coming wave of AI-driven threats. CISOs who put this on the back burner by taking a "wait and see" approach, or fail to oversee AI outside the security team, will leave their organisation and wider supply chain exposed.