{"id":1506,"date":"2025-01-14T09:00:00","date_gmt":"2025-01-14T09:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1506"},"modified":"2025-01-14T09:00:00","modified_gmt":"2025-01-14T09:00:00","slug":"gen-ai-strategies-put-cisos-in-a-stressful-bind","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1506","title":{"rendered":"Gen AI strategies put CISOs in a stressful bind"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Senior executive perceptions on the promise of generative AI are proving to be a siren song for many CISOs.<\/p>\n

According to a recent survey from NTT Data<\/a>, 89% of C-suite executives \u201care very concerned about the potential security risks associated with gen AI deployments.\u201d But, the report found, those same senior execs believe \u201cthe promise and ROI of gen AI outweigh the risks\u201d \u2014 a situation that can leave the CISO as the lone voice of risk management reason.<\/p>\n

And it may be taking its toll, as almost half of enterprise CISOs \u201chold negative sentiments\u201d about generative AI, feeling \u201cpressured, threatened, and overwhelmed,\u201d according to the survey.<\/p>\n

The conflict is quite familiar. Senior executives pressure line-of-business chiefs to embrace a new technology to leverage efficiencies and boost the bottom line. But generative AI is risky business \u2014 arguably more risky than any technology to date. It hallucinates<\/a>, overrides guardrails<\/a>, jeopardizes compliance, and gobbles up sensitive enterprise data<\/a>.\u00a0And it\u2019s being embraced by enterprises quickly without proper security hardening<\/a>, while being pushed by vendors who highlight functionality over security.<\/p>\n

\u201cIt\u2019s the wild west, with lots of AI applications and large language model choices making it tough to vet what\u2019s secure. There are also applications that are masked to look legitimate but are schemes to exfiltrate data and facilitate ransomware,\u201d said Will Townsend, VP and principal analyst at Moor Insights & Strategy. \u201cThe concern around data leakage is real. We are already seeing that happen along with prompt injection attacks introducing malicious code.\u201d<\/p>\n

One of the most problematic gen AI issues CISOs face is how casual many gen AI vendors are being when selecting the data used to train their models, Townsend said. \u201cThat creates a security risk for the organization.\u201d<\/p>\n

Veteran security leader Jim Routh, who has held CISO-level roles at Mass Mutual, CVS, Aetna, KPMG, American Express, and JP Morgan Chase, said generative AI\u2019s penetration into SaaS solutions makes this more problematic.<\/p>\n

\u201cThe attack surface for gen AI has changed. It used to be enterprise users using foundation models provided by the biggest providers. Today, hundreds of SaaS applications have embedded LLMs that are in use across the enterprise,\u201d said Routh, who today serves as chief trust officer at security vendor Saviynt. \u201cSoftware engineers have more than 1 million open source LLMs at their disposal on HuggingFace.com.\u201d<\/p>\n

Robert Taylor, an attorney who specializes in AI and cybersecurity legal strategies and serves Of Counsel with Carstens, Allen & Gourley, an intellectual property law firm based in Dallas, said he sees a common theme at all levels within organizations of every size.<\/p>\n

\u201cThey don\u2019t know what they don\u2019t know. At least CISOs are already primed to think of risks and have an idea of the security risks posed by AI,\u201d Taylor said. \u201cBut AI comes with a lot of new security risks that they are trying to get their arms around.\u00a0There are projects in the works trying to assess the many types of security risks that arise with gen AI. I\u2019ve heard categories of security risk numbering into the hundreds to well more than a thousand types of security risks.\u201d<\/p>\n

All this can take a psychological toll on CISOs, Townsend surmised. \u201cWhen they feel overwhelmed, they shut down,\u201d he said. \u201cThey do what they feel they can, and they will ignore what they feel that they can\u2019t control.\u201d<\/p>\n

An accelerating issue<\/h2>\n

Meanwhile, as senior execs push forward, leaving their CISOs overwhelmed by the risks, attackers are moving rapidly.<\/p>\n

\u201cThe bad actors are feverishly working to exploit these new technologies in malicious ways, so the CISOs are right to be concerned about how these new gen AI solutions and systems can be exploited,\u201d Taylor said.\u00a0\u201cGen AI solutions are not traditional software and services and have some vulnerabilities that other technologies don\u2019t have to deal with.\u201d<\/p>\n

Worse, Taylor argued, gen AI risks are more amorphous and shifting<\/a> compared to traditional technology risks.<\/p>\n

\u201cGen AI continues to morph post deployment, which creates further opportunities for security risks such as prompt injection, data poisoning, and extracting confidential information or PII\u201d from the information shared with the gen AI, Taylor said.\u00a0<\/p>\n

Jeff Pollard, VP and principal analyst at Forrester, pointed out that prompt security, in particular, \u201cis immediate and necessary if the organization has customer-facing \u2014 or employee-facing but customer-impacting \u2014 prompts that could lead to unauthorized data access or disclosure.\u201d<\/p>\n

And the problem, Pollard said, is going to get a lot worse \u2014 quickly. \u201cIt\u2019s important to learn how to secure these now because this is the first version of generative AI that might see widespread enterprise deployment. Agentic AI is coming soon \u2014 if it is not already here and that will require these controls and more to secure correctly.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Senior executive perceptions on the promise of generative AI are proving to be a siren song for many CISOs. According to a recent survey from NTT Data, 89% of C-suite executives \u201care very concerned about the potential security risks associated with gen AI deployments.\u201d But, the report found, those same senior execs believe \u201cthe promise […]<\/p>\n","protected":false},"author":0,"featured_media":1507,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1506","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1506"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1506"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1506\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1507"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1506"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1506"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1506"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}