Security Is EVERYBODY’s Business, But CISOs Need to Lead

Security

It’s an interesting time to be a part of the strategy business, with generative AI and all the capabilities around AI taking center stage, says Saugat Sindhu, Senior Partner, Global Head of Strategy and Risk Practice, Cybersecurity and Risk Services at Wipro.  Seeing how the industry is evolving and how the services evolve to cater to these new capabilities is at the forefront of all strategies.

ITSW: The strength of the cyber security posture of any organization is as much as its weakest link. Employees are the weakest link to every organization’s cyber security posture. So what are the strategies that CISOs can embrace to create cyber security awareness throughout the organization and the employees of the organization? What do you think they should do to make sure that doesn’t slip up?

SS: Typically, cybersecurity awareness is seen as a checkbox item, where you do an annual training, and that’s all. There’s not a very heavy push from the leadership, the CISO of the company, and the board of directors. That needs to change. The Board and the CISO leadership needs to be engaged in all kind of awareness and training. And once employees see that their leadership is so engaged in cybersecurity, they are more invested in the training and any awareness. And secondly, I would say, is to make the awareness exercise a bit more interactive.

Many clients participate in gamification, cyber security, games, trivia, and quizzes. They are more involved in it. These activities can be made scenario-based. This will ensure that employees learn the negative effects of something going wrong rather than just doing a quick quiz after sifting through a few slides.

I think that’s something we advise our clients to do. As an organization, we also emphasize awareness training being more interactive.

ITSW: What role does a CISO play in the boardroom, and how can CISOs communicate effectively and transparently with the board members to make them understand the cyber risks and the threats to their business? What is the kind of impact that a CISO can have on the board in making the right decisions for better cybersecurity resilience?

SS: I think the CISOs are very important members of the leadership team. And they need to be business enablers in the boardroom. Cybersecurity is not an audit or internal audit. There is a fine line of difference there. And as much as the CISO is seen as somewhat more of an enforcer, they need to be seen as an enabler to the business.

CISOs need to have very direct, effective, and transparent communication with the board members when it comes to quantification of everything that they’re doing. And when I say quantification, what I mean is quantification of risks to the organization. Some of the board members will be closer to cybersecurity risks. Some of them may be closer to a reputational risk or a financial risk.

But if a CSO can stitch that story together and quantify it for the audience of the board, I think that goes a long way. That’s what’s needed because, in the situation in the market that we are in right now, with the threat landscape changing, with new capabilities coming into play, I think it’s critical. CISOs need to ensure the message is articulated well in the boardroom.

ITSW: So, which is one of the reasons why maybe security practice heads and the CISOs need to have a seat on the board table?

SS: They certainly do. And we don’t see it often. We see it quite a bit in Fortune 100 and Fortune 50 companies. There’s a new role that has been created in many organizations – that of the Chief Risk Officer. So, there needs to be a bit of a marriage between the Risk Officer, the Security Officer, and the internal audit team. That is, there has to be a single voice for all these functions. If they all sing the same tunes, it has a better impact at the board level. As you know, cyber risks are very tangible. There are impacts. You can have reputational damage. You can also have regulatory fines. If someone can quantify that in the context of your business, that goes a long way.

In the role of the Risk Officer, a part of their responsibilities is compliance as well. So, it is an all-encompassing kind of rule.

ITSW: What do you see as the role of artificial intelligence in cyber security? Does it help businesses to prevent cyber risk or save them from being exposed to significant threats? And if there are threats due to AI tools, what are the best strategies to stay secure from the risks that are exposed by generative AI technology

SS: Yes, it’s just like anything with technology. A few years ago, we were talking about the cloud in a very similar way. And now it’s AI! So, for AI, you can use it to strengthen defenses and shorten response times within our cyber processes because it can recognize patterns and make decisions based on existing data sets and past cyber events. It can identify false positives and logs, which has been a problem for cyber professionals for quite some time.

So, it can be seen as something that complements and supplements your cybersecurity measures. Then, you talk about detection, response, and remediation. And then, you know, something that not many people talk about regarding AI is behavioral science, right?

We just talked a little bit about cyber awareness. How do you inject AI into the behavioral science of your employees to create a better awareness campaign and look for more insider threats? Those are some of the things that AI can help you with as well. And when it comes to generative AI, the risks are around the foundations of the data, the models.

So, effective access control data security measures are very important. Ensure that the sensitive data used in generative AI models are removed and identified adequately. You don’t want that to become public at any time. And lastly, misuse and misinformation of data

Generative AI models are a big problem. I’m sure you have seen some things that have happened with the AI models available in the marketplace, whether Google or Microsoft. And that can only be solved through adequate governance processes. So, some organizations have developed a few frameworks that they need to adapt to and then amalgamate into their generative AI capabilities.

ITSW: What are the biggest cyber security threats that businesses must know today? What are the best strategies and technologies that they can, you know, organizations can implement to stay secure from those threats? Is there any innovative or new technology that has recently evolved that can help in this scenario?  

SS: Yeah, I think as we look forward, there are a couple of threats that have remained from the past, and they have just evolved. Infrastructure-related issues continue to be a pain point. The supply chain and security of your supply chain is a big thing in the marketplace right now. And then, obviously, building resilience into your business processes is critical from a cyber perspective.

Those things are always there and they’re not going anywhere in terms of focus areas. The new threat landscape that has been exposed now results from the wide adoption of AI.

Specifically, generative AI. And I think we talked about some of the things that we need to do as it relates to generative AI.

But I think, for the most part, the majority of generative AI issues can be solved through strong governance. So, you know, having a COE of sorts, comprising of the legal team, the CISO team, you have the business teams, and the HR teams. This is critical because generative AI capability should be, you know, allowed for all the employees.

They all make a case for generative AI capability and sort of envelope the risks around it, thereby putting some guardrails around the use of generative AI. I think that’s very important and it’s needed. In terms of some of the technologies that are out there, I’ve seen a lot of success being had in the marketplace when it comes to the use of machine learning with agentless scans to identify data types in your network. I think that has helped preventative and detective measures quite a bit in the marketplace.   Let’s continue to invest in those areas.

ITSW: What do you see the cybersecurity landscape like in the next five to seven years? How things are going to change? How is the landscape going to change? How are the companies going to be prepared for it? What are the technologists like yourselves and your organizations doing about it?  

SS: AI takes center stage in everything in the next five to seven years. And you have to think about how that evolves from a process, people, and technology perspective.  On one hand, the power of AI reduces a lot of the manual labor required to run cyber processes.

On the other hand, there are exploits faced through some of the new AI technologies. That puts companies at severe risk of misinformation and reputational damage, specifically in the context of competition that companies are going through right now. So from that perspective, aligning or creating your cyber program where each of your cyber capabilities, whether it is zero trust, identity and access management, or governance risk and compliance – all of those different capabilities that exist within a CISO’s portfolio now need to account for AI and specifically generative AI. How you can enhance your cyber posture through generative AI is a question everyone will want answered in the next five to seven years.

And then also ensuring that the fundamentals of infrastructure security are still maintained!

ITSW: Right. I was just a little curious. There have been a lot of conversations that have been around regulations for AI usage, compliances, and all of that, especially in the US market. What is your take on that? Do you think it’s going to change anything? Do you think it’s going to help?

SS: It will certainly help, and all the regulations coming forward are looking at governance first, as I mentioned, the National Institute of Standards and Technology (NIST). I don’t think anyone wants to gauge the capabilities of AI right now. They want to govern it and ensure it is used correctly. And I think that’s where we will land. If you stifle the capabilities and the raw power of AI, you’re not going to get the benefits that you want out of it.

So, the best thing you can do is make sure that it is used in the right context and on the right data so that people don’t misuse it. So I think that will continue to be a thing. And then privacy is going to be a big thing as it relates to AI because so much data is involved, so much personal information is involved.

We always talk about biases in the data models, removing that bias, ensuring that companies don’t have any unfair advantage in marketing, and then trending marketing data using AI. Those are the things that the regulators are going to work on and make sure that everything is used within the context of the business.

Also Read: Role of Cybersecurity in Business Success

ITSW: So, in your opinion, would good strong governance and strong regulatory compliances in place also help to reduce the security risk of maybe a generative AI or any other type of AI that is being used? Would there be any?

SS: Absolutely. So you always go from left to right, like you have the softer controls, and then you have the harder controls. The softer controls are the governance. So if you are going to prevent people from doing bad things, and you tell them that, hey, there are repercussions. If you’re going to do bad things, then the chances are that 80% of them will probably not attempt it. There will be 20% that will still attempt it.

And that’s where your harder controls come into play. This is where you have access controls, data security controls, etc. So governance will play a very large hand and a heavy hand in everything around AI because everyone is involved in the generative AI business. HR is involved, even legal, and the CISO organization is involved. Most importantly, the business wants to use it because it can be more efficient and more profitable. So yeah, I would say I see it coming.

ITSW: what do you see coming up very fast that enterprises need to be ready for?

SS: I think the interaction or the intersection of cloud and AI is an interesting one. We have started talking about it because everything is infrastructure or platform as a service or SaaS. They have their capabilities around generative AI and AI built into their platforms, but making sure that your security envelope covers that cloud boundary and then the AI boundary within that cloud boundary is an interesting topic that we are looking into. We are making sure that clients address that ahead of time before fully enabling generative AI in their ecosystems.

For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.