You Need To Have The Talk

Very recently Brendan put up two posts about AI and cybersecurity. This part caught our wandering eye:

You can't ignore the fact that AI will make cyber attacks either better or more frequent or both. You can't run around like a headless chicken either. You can review your Cybersecurity Risk Profile and update it with an eye to what AI will make worse. Ideally, you already have such a profile and merely need to adjust it. If not, starting with what AI might do does not make sense. Start with what is already happening, how you are responding and then figure out what adjustments you will make and why.

The good news is AI isn't magic and your response isn't panic. The bad news is that things are going to get a bit worse before they get better.

It's time to have the talk with your senior leaders. You know this is coming: the talk about AI and cybersecurity.

It will feel awkward. It will be like sign language in a language you don't speak. You're an expert technologist. You were chosen to your role because you were more competitively capable than the other applicants. Hooray.

And, you don't have answers. In fact as Brendan notes the only thing you actually really know is that "things are going to get a bit worse before they get better."

And, they have questions. As smart and hard-driving as they are, they're at best maybe marginally better educated about cybersecurity than most people in the organization.

Their biggest question is, How bad is it?

Your best option is to have questions also. Your best question, the one that shows you "get it," is: what questions do you have about the courses of action my team and I have prepared for your review?

The legitimacy of that question relies upon your having developed a cybersecurity risk management plan. Your proposed courses of action then, as Brendan says, "Start with what is already happening, how you are responding and then figure out what adjustments you will make and why."

Your leverage as a technical leader is that you are prepared through the planning that you have engaged in to support and further the organization's strategy. Once you have those plans and have stress-tested them relative to the organization's strategy, then you are speaking the same language as your senior leadership and they will listen to you. It's appropriate to bring them your plans, aligned with strategy, and talk about how AI might affect those plans -- and how those plans direct your organization's AI strategy.

If your cybersecurity plans do not support and further the organization's strategy, you have not engaged in strategic planning; you have engaged in noodling or tarot card reading or something. That's not what you get paid to do.

Ask us how you can effectively engage with senior leadership.