GenAI is transformative, but at what cost? Chief Security, Information and Risk Officers, and board members share views on its impact on security and the CISO.
GenAI: reshaping the future CISO and security functions
The changing landscape
It is universally agreed that GenAI will cause more and more disruption as it becomes embedded in businesses and consumers have greater access to new platforms. Although the opportunities outweigh the risks for many, GenAI creates serious security challenges.
GenAI has significantly increased the productivity of bad actors, making it easier for them to target organizations. Self-evolving malware is also likely to rise and will be harder to pin down. These more frequent and sophisticated attacks require more than just detecting threats, and significantly more proactive preventative work in blocking them.
GenAI also raises key concerns around data privacy and validation. Leaks of price-sensitive information and client data is a huge (and very real) risk. In terms of validation, can we trust the results from GenAI? The Chief Risk Officer for a global bank raised the issue of how we articulate and validate GenAI financial models. If they cannot be fully validated, how can they be a basis for business-critical decisions and used to justify these decisions to Boards, shareholders, and regulators? Companies will require new skillsets and structures to make GenAI work for, and not against them.
Realizing the commercial benefits of next generation AI requires a true understanding of GenAI to limit risk. We must be careful with the data we input into (and the results from) GenAI as it is an added vector that increases threats. Deep-fake technology, seemingly sentient platforms and lagging regulation are posing real and increased risks to businesses.
What does this mean for the next generation of security leadership?
GenAI has raised the importance of the Chief Information Security Officer
Rapid technology developments render some traditional cyber defenses ineffective, forcing companies to shift focus from protection to detection. The CISO will become more of an enterprise leader, continuing to progress from governance and assurance towards a more commercial focus – from policymaker to business champion. The role is becoming akin to the Chief Risk Officer, a role that needs to operate across all business areas and report directly to the CEO, rather than being part of a technology function.
The Global CSO of a FTSE100 firm expressed, given the increasing importance of security, the CIOs of the future will have to be CISOs at heart. Many current CISOs are the CIOs and CTOs of the future.
Creating more Chief Security Officer roles
Many corporations still separate physical and cyber security, but these areas must converge to be effective. CSOs will increasingly own both. Public, military and security sectors already understand the link between physical and cyber security, where malevolent actors use cyber to augment and enhance physical attacks.
A former Global CIO and advisor to the Board of a global mining company raised the example of the rise in nation state cyber-attacks against global shipping companies, which transport much of the world’s food. The CISO of one global payments company likened the cyber security world to a small arms battlefield – where one must scan and patrol, adding layers of defense along the way. We could see a rise in CISOs with military or law enforcement backgrounds.
Many boards do not have enough knowledge of these emerging technologies and their risks to provide adequate challenge and advice to executive leadership. While board engagement on these topics is improving, understanding at the board level seems to be cursory and largely reactive to press headlines. Boards will need to swiftly evolve to ensure there is more technical knowledge of cyber and broader technology issues in the room. The CISO will play a key role in raising awareness for their own organization and will be in demand for external board positions.
GenAI is forcing a talent rethink
Security talent will need to be engineering–led and have an intrinsic understanding of data and analytics, as well as the evolving external landscape as new products and tools are launched. The ability to deal with complexity, be fluent in commercial, business–friendly language and be highly effective at educating, influencing and guiding executive leadership teams and boards, will be the key to success for current and future security leaders.
Quantum computing increases the urgency for new skillsets
Skillsets will need to evolve, from technology and security teams to board level. Mitigation of risks will require data science expertise and engineers, and perhaps a rise in security leaders from academic math backgrounds. This holds true in terms of spotting commercial opportunities too, where research and testing capabilities will require forward-looking skills to determine the potential benefits of new technologies.
Technology will continue to change the way we operate, and GenAI and quantum computing will have a significant impact on the role of, required skillset, and previous experience brought to the CISO position.
