Your AI Cybersecurity Stategy: Frame The Conversation

The outline of an axe

AI & Cybersecurity

What role should AI play in cybersecurity? Driven by the quick and effective adoption of AI by cyber criminals cybersecurity professionals are under pressure to react somehow, as Ted has already discussed in this post. In that post Ted points out that the business side of the house and the Cybersecurity group (C/S) have very different wants and needs from AI, and that C/S will allow the business side to dictate strategy at their peril. This post is about how C/S can frame that discussion so as to be productive rather than combative. You can't do whatever they are doing because AI means different things to C/S than it does to them.

The Business Side

Let us consider how AI looks to the business side of the house so that we can define some of those differences and better communicate those differences.

Utopian View

AI will usher in a new era of workplace productivity and satisfaction because it will handle all the white collar drudgery that plagues our workdays.

Dystopia View

AI will take over an ever-increasing share of all white collar jobs hastening the already underway hollowing out of the middle class and threatening the very basis of our economy.

Dire Warning

The replacement of entry-level workers with AI is already happening. This lack of ability to get on the career ladder is hurting young people now and will hurt companies later when there are no candidates to replace middle tier workers.

The Cybersecurity Side

Things look very different to the cybersecurity side of the house.

The AI Threat

As is often the case, it was easier and simpler for the bad guys to leverage AI in order to be better cyber criminals. That meant that C/S had to respond pretty quickly, shifting or adding resources to balance the new or increased threats. This was less about a strategy and more about day-to-day operations.

However, the external AI threats were not the whole story: unmanaged use of AI inside the organization created a host of new risks, such as agentic AI running amok or AI being tricked into revealing your secrets. Responding to these threats was often a case of cleaning up after the elephant as the business side charged ahead without consulting C/S first.

The Cyber Threat Mirror

Since the bad guys are using AI to break into systems, systems administrators are using the same AI to try to get the same vulnerability lists. This is the mirror image of using AI to break cybersecurity: the sysadmins are trying to plug the chinks in the armor, not exploit them. There is some risk in doing this, but done properly it makes sense. However this also isn't a strategy, it is a tactic.

Practical Applications

There are practical applications of AI to daily C.S operations, as discussed in this post.

The Conversation

Your organization's AI strategy is no different from your C/S program: the business side has to do whatever they need to do, but in a C/S-aware way. C/S has to secure the digital assets, but not in a way that makes those assets impossible to use.

Don't tell the business people that they can't forge ahead alone in adopting AI because their actions effect us all; do ask them to keep you informed so that you can keep up with them.

Don't tell the business people that they shouldn't try to use AI as a productivity tool, specifically using private accounts at work to operate on company data; do survey the business people to find out what they want AI for and ask them to join you in figuring out the safest way to do that.

Don't tell the business people that they should not be using AI whenever they like while using AI internally "because you know what you are doing." Do invite the business folks to find out what you are planning to do, and why, so that they can see responsible AI adoption in action.

The business side and C/S are different facets of the same thing: acting as if they are separate entities is going to create a gap in your cybersecurity which is an unnecessary as it is dangerous. But remember that C/S is a partner in the AI strategy, not a despot. Don't dictate and don't scold. Offer help and ask for consideration.

Comments

Post a Comment