NIST CSF Responds to AI

We were planning on being done posting for the year, but this trigger was timely and so just one more post for 2025.

At Pythia Cyber we use the NIST CSF because cybersecurity is too important not to use a proven methodology and this proven methodology seems the most flexible of the commonly-accepted one. (Want more detail? Start here.)

Because we use the NIST CSF we have been kept to the general when we talk about how to use AI in your cybersecurity risk management process, since the CSF had not yet been formally extended in this way.

But a few days ago, that changed. NIST has done their usual thorough and reasonable job in doing just that: formally extending the CSF to address Artificial Intelligence by publishing their Draft NIST Guidelines Rethink Cybersecurity for the AI Era.

We certainly encourage you to read both the blurb about the draft (linked to above) and the draft itself (linked to in the blurb). To whet your appetite, here is a sample:

The Cyber AI Profile centers on three focus areas:

• Securing AI systems: identifying cybersecurity challenges when integrating AI into organizational ecosystems and infrastructure
• Conducting AI-enabled cyber defense: identifying opportunities to use AI to enhance cybersecurity, and understanding challenges when leveraging AI to support defensive operations
• Thwarting AI-enabled cyberattacks: building resilience to protect against new AI-enabled threats

“The three focus areas reflect the fact that AI is entering organizations’ awareness in different ways,” Cuthill said. “But ultimately every organization will have to deal with all three.”

 We feel that this framing is exactly right (and not only because it mirrors our own posts in this area).

If you use AI in your business operations, you need to protect that AI from poisoned input or the very machine learning you depend on will be turned against you.

Because the bad guys are doing it too, you need to use AI as part of your defense. Specifically, to automate vulnerability detection and, under strict control, automate your responses to cyber attacks.

Because the bad guys are using AI as part of their offense, you need to adapt. Specifically, you need to keep abreast of advances in evil AI because sticking your head in the sand is not an option.

You need to start overhauling your processes to respond to this new threat environment. Changing your trusted routine is hard. We can help.