But Seriously, What Is Your AI Cybersecurity Strategy?

Givens:

1. You need a cybersecurity strategy

2. You're investing in AI

Therefore, you need an AI-oriented cybersecurity strategy.

An AI process or platform is not the same thing as an AI strategy. As Brendan notes frequently (e.g., here), the NIST CSF endures because it anticipates and outlines the need for a strategy. As you work through the NIST process in developing your AI cybersecurity strategy, you can anticipate that the integration of AI into typical work functions is meant to create productivity. The implication is that your AI strategy needs to anticipate growth in utilization and use cases. Remember, the bosses spend money on AI because there is an anticipated return on investment, and the same bosses expect your shop to create a secure environment for the AI. 

How would you develop an AI cybersecurity strategy?

Think of the development of your AI cybersecurity strategy as part of your AI platform purchase. The upside is that you don't pay for it per se, though you might contract for the development of one. The downside is that, as we frequently find, coming up with governance and strategy is boring for many cybersecurity folks, and you'll need to work with nontechnical people to find the strategy approach that works for the cybersecurity function as well as for the organization. 

But do so you must because the AI strategy is going to make the AI system work, it will guide further investment, and it will create the framework for how your organization functions from a technical perspective.

What's in that AI cybersecurity strategy? 

Start by asking yourself these three questions:

1. Suppose that your organization buys an AI cybersecurity product. Do you now have cybersecurity?

2. If you had the Anthropic Mythos product (or an OpenAI etc comparable product) or an agentic AI system review your systems and that scan found liabilities and then you fixed those, do you now have cybersecurity?

3. It is highly likely that your organization has not yet figured out how to leverage AI to create productivity. What happens when you turn everyone in your organization into the equivalent of desktop vibe programmers? Think of all that intellectual property going into an AI...

These three questions come from the cybersecurity perspective. They are important, but they are not speaking to the business operations side of the organization. It wants productivity from the AI; you want cybersecurity for (or through) the AI. This is your chance.

Consider these four AI productivity questions by Paul Goydan, Jacopo Brunelli, and Kevin Kelley at BCG:

Where is AI increasing output, but not reducing effort or cost? Consider communications: AI can generate content instantly, but if it still takes days to align stakeholders and secure approvals, much of the underlying effort hasn’t changed.

What work still exists today that no longer needs to? Are teams producing gold-plated outputs—overengineered reports, excessive analyses, or multiple review cycles—where the level of effort required far exceeds the value created?

Where are we accelerating complexity instead of removing it? In many functions, AI increases output while expanding the system around it. More content to manage, more leads to qualify, and more code to maintain. How is freed-up capacity being used—and who decides? Teams may use it to take on additional projects, increase service levels, or expand scope. In some cases, individuals may simply reclaim time. These outcomes could be desirable. But they should be the result of deliberate choices, not default outcomes.

Which roles are being redefined, versus simply asked to do more? Too often, roles aren’t fundamentally redesigned. Employees take on higher volumes, more complex tasks, and greater cognitive load while AI absorbs routine tasks. However, without adjusted support and recalibrated expectations, increased effort may not reach the bottom line.

Strategy is about what you choose to do and what you choose to not do. There are implications of any strategy as well as timeframes and costs. As AI continues to be implemented, having answers or at least recommendations for the role of cybersecurity in AI-driven productivity conversations keeps your seat at the table.

Ask us how you can help you shape the AI cybersecurity strategy that you can grow with.

(image credit: NPS Graphics, Public domain, via Wikimedia Commons)