Founder and CEO, Corix Partners | Board Advisor | Non-Executive Director | Author of “The Cybersecurity Failure Spiral and How to Get Out of It”
For the past few years, the business world has been grappling with what to do about generative AI (GenAI). Largely because of the hype and fear of missing out surrounding the technology, the topic has dominated the agenda of many executive teams.
In many cases, I believe that Chief Information Security Officers (CISOs) have not been at the heart of the discussions as they should have been, with the debate around AI often taking precedence over their priorities. For this reason, some of them may be tempted to jump on the GenAI bandwagon and capitalize on the increased interest from executives. But the question is how best to do this.
While my previous article Having critiqued the broader issue of AI hype potentially compromising cybersecurity practices, I would like to offer specific advice to CISOs on how to navigate an increasingly AI-driven business landscape while effectively integrating cybersecurity considerations.
Navigating the Meeting Room with AI and Cybersecurity
First, I think CISOs need to avoid repeating historical situations where cybersecurity was seen as at odds with business needs and the CISO was simply the “no-sayer.” Any opposition to the AI tidal wave we’re seeing now – for whatever reason, valid or not – is unlikely to be heard.
I think CISOs should also avoid entering the boardroom out of fear, uncertainty and doubt; the topic is potentially too serious for that and, more importantly, it does not warrant it.
Overall, it may be helpful to keep in mind that AI and cybersecurity have several characteristics in common:
• Data, and data integrity in particular, are at the heart of both.
• Governance is also at the heart of both cases, in the case of AI, to ensure its ethical and responsible use.
• Regulators are stepping up their efforts in both areas, placing the topic at the top of the priority list for audit and compliance departments.
Effective Communication Strategies for CISOs in the Age of AI
CISOs need to understand that AI is attracting the attention of executives because its use cases are expressed in a language they can understand and relate to: productivity gains in call centers, elimination of manual tasks in back offices, etc.
Many CISOs have long been trapped in a unproductive dialogue with high-level speakers, presenting outdated, risk-driven, bottom-up, ROI-focused use cases that consistently missed the mark.
Business leaders need to understand that cybersecurity is simply a central and natural dimension of any AI strategy:
• Data poisoning, whether malicious or negligent, can lead to poor outcomes and poor decisions, with potentially catastrophic consequences in some industries (defense, healthcare, etc.).
• Illegal use of personal or copyrighted data to train AI algorithms in violation of laws or regulations can result in legal action, reputational damage, and heavy fines, not to mention personal liability in some cases.
• Without a clear policy on the use of AI within the enterprise, the influence of hype and FOMO will persist across all business units, leading to the rise of shadow AI, just as Shadow computing appeared more than ten years ago to circumvent the perceived rigidity and slow response of IT departments.
Making AI Policy a Priority for CISOs
This awareness is needed now, not next year or when someone feels like paying attention.
A robust policy approach that documents how the use of AI can remain safe, ethical, and responsible, and outlines how these aspects will be governed and executed across the enterprise, must intentionally involve the CISO and other key stakeholders. This, in my view, is the agenda that CISOs should be championing.
This is not about unnecessary bureaucracy. AI, like cybersecurity, is by its very nature an issue in which interactions between different departments must be integrated. This does not happen naturally or organically in the large enterprise, which is almost inherently siloed, territorial and political. These interactions between different departments must be designed, encouraged and properly managed; otherwise, they do not happen.
CISOs, together with CIOs and CDOs who share a similar interest, should view the political route as the best medium- to long-term solution to secure a legitimate seat at the negotiating table from which they can protect their own interests and priorities, as well as those of the business.
As I wrote almost a decade ago When it comes to cybersecurity, good governance remains essential. This is not useless consultant jargon, but a critical piece of the puzzle. When it comes to AI, it is what will determine whether companies succeed or fail in the tech space.
Forbes Business Council is the leading growth and networking organization for business owners and executives. Am I eligible?
