CISO Guidance for AI Security

Every day, organizations are finding new uses for AI models. As with any transformative technology, AI introduces both risks and opportunities for businesses, and organizations should be prepared to protect their AI technology at the same level they protect traditional “crown jewel” or other sensitive data. Senior leadership will look to CISOs for guidance, both on how to protect AI and how to use it to enhance the security of their organizations. What follows is some guidance on how a CISO might proceed as AI technology evolves and is deployed.

Understanding Organizational AI Initiatives

• Establish AI Credibility: The CISO must not assume the organization will immediately see them as an advisor on AI. The CISO should invest considerable learning in both reading about and using AI technologies hands-on. CISOs who do not normally engage in hands-on learning should change their approach as an exception. CISOs should engage in grass roots conversations with senior leadership executives to establish their place in strategic AI conversations.
• Gather Information and Form Policies: Similar to how they would treat other business initiatives, the CISO should understand what role AI is now playing internally and, if possible, what role it will play. This will help to shape policies covering data privacy, ethical use of AI, and compliance with relevant regulations. The CISO will not be solely responsible for these policies but must be a stakeholder when they are developed.
• Collaborate and Integrate Security into the AI pipeline: Mimicking the involvement they might have with their Dev Teams, the CISO should work closely with the teams developing and using AI in the organization. This collaboration can help facilitate the integration of security considerations into the development and deployment of these technologies.

Consuming Publicly Available AI

• Train and Spread Awareness: The CISO should strive to make all employees aware of the potential security risks associated with the use of AI and large language models. This includes training employees on how to use these technologies responsibly and securely. Part of this should involve adding “deep fake” content to existing phishing awareness training.
• Identify Uses: The CISO should to gather information on how AI is being used internally, first through inquiry, and then by verifying and hunting using existing tools. CASB and EDR can gather data on public AI endpoint traffic volume and the sources generating the traffic.

Protecting Internally Developed AI

• Protect Models: Internally developed AI models can quickly become “crown jewels” of an organization and the same policies and protections that are placed on existing high target data should also be placed on AI models.

Enhancing Incident Response

• Purple Team: Conduct purple teams that include AI-generated payloads and scripts to understand the effectiveness of current tooling.
• New TTX Injects: Include AI in the next tabletop exercise scenario and begin to generate an incident response plan for security incidents (data loss, AI model poisoning, etc.).

Enhancing Detection and Response

• Increase SOC Efficiency: Enhance your SOC’s agility by integrating AI where appropriate. For example, quickly develop SIEM alerts and custom EDR rules for emerging threats and combine them with SOAR technologies to show your analysts full contextual information so they can triage and mitigate threats faster.
• Reduce Attack Surface: Prevent vulnerabilities from entering production by using AI SAST tooling to identify security flaws in source code.

Potential Risks with AI

There are some clear risks that the CISO should also convey to the organization as using public AI becomes more ingrained into the culture:

AI will continue to be part of how organizations conduct business. Like other recent new technologies and adoptions like cloud, protecting the business processes and the systems that support AI will need to be part of the cybersecurity plan.