The Death of Cybersecurity Questionnaires in Three Acts
Below, we offer a little cybersecurity fable that starts in Act 1 with the use of an evil human-to-human questionnaire protocol for exchanging data between organizations. No one in the village ever liked this hideous approach because it involved having to answer hundreds of dumb eGRC questions.
Our story ends quite happily in Act 3 with the future benevolent use of API-to-API protocols that exchange security data without lengthy questionnaires. Interestingly, however, the narrative takes an awkward turn in Act 2 (uh, today) with the villagers inappropriately using Generative AI to answer questionnaires.
As you will see in our little fable, the use of AI to answer human questionnaires is a bad approach. And yes, this involves something you might never have expected to ever see from a computer science story-teller like me: An actual use-case in which AI is not the default answer. Now let's proceed:
Act 1: Human-to-Human Cybersecurity Questionnaires (2000 – 2023)
Once upon a time, human villagers working for different organizations used to send long, complicated manual cybersecurity questionnaires to each other. This was how one organization had hoped to learn something about the risk practices of another organization. It rarely worked.
Human senders of questionnaires originally had great hope for this process and tried using it for something called Third Party Risk Management (TPRM). Human recipients of these questionnaires hated the process, however, because it involved answering dumb questions like “Do you encrypt your data?”?
Below is a little picture that shows this old, terrible process:
Act 2: Human-to-Human-to-AI Cybersecurity Questionnaires (2023 - 2024)
The human villagers soon wised up and decided that they’d wasted enough time answering questionnaires, so they started using ChatGPT-like tools to read the human questions. They figured that if AI was going to take their good jobs, then it might as well also take their terrible jobs.
This set-up turned out to be a ridiculous kluge because questionnaires are written for humans, not machines. Cringy acronyms emerged during this time such as Digital Human as a Service (DHaaS). This was an awkward transition, but it thankfully only lasted two years from 2023 to 2024.
领英推荐
Below is a little picture that shows how the old terrible process in Act 1 was replaced with an awkward Generative AI process in Act 2:
Act 3: API-to-API Cybersecurity Exchange Protocols (2024 – 2050)
Luckily, smart engineers realized during late 2023 and into 2024 that language models reading human text are fine for dumb and annoying lawyers needing to summarize a stupid brief. But that when one company needed cybersecurity data from another, this need not involve parsing human questionnaires with AI.
We all remembered that automation connects with automation through the use of application programming interfaces (APIs). Thus emerged the death of human questionnaires in favor of automated data interchange across APIs. The security community adopted this quickly and all the villagers are so happy.
Below is a lovely depiction of the Act 3 state of cybersecurity data exchange between organizations. Automated workloads gather the data locally and share it with other organizations across APIs. It is the death of human-focused cybersecurity questionnaires. Villagers fill their newly found time with golf.
Moral of the Fable
Artificial intelligence is certainly a very nice advance, and tools such as ChatGPT help us all from time to time. Few would argue, including me, that AI is usually an excellent solution to tough personal and business problems that emerge on a day-to-day basis.
But where ChatGPT-like AI tools are being used to scan and interpret documents such as security questionnaires that were intended for humans, then it would be much better to simply to skip this interim step (Act 2 above) and just design a protocol that avoids the humans.
This is what APIs are for, and I hope my little fable represents a helpful reminder to you. (And this includes vendors.)
Love the fable! Moving from tedious questionnaires to API-to-API is a smart move. It's about time we ditch the old ways for efficient cybersecurity. Exciting progress!? Thank you for sharing Edward Amoroso
Truly a happy ending!
Digital Transformation Consultant | Strategy & Innovation | IBM and AT&T Alumni | Emerging Technologist: AI, ML, IoT, Mobility/5G, Cybersecurity, Software-Defined Networking, Cloud, Big Data, and Analytics
1 年Edward Amoroso, love how simple and deep your article is! It confirmed that this security & information accuracy issue is in so many industries. We need to know: WHAT problem we trying to solve and then find the right HUMAN + AI/API combination to solve it. Thoughts?
Information Security Officer
1 年Great story on the future, or what the present should be
Managing Partner at CTM Insights
1 年Couldn't agree more, Edward Amoroso. What's really amusing is when generative AI play both sides of the protocol, creating questionnaires and answering them (like having ChatGPT compose a document and then the recipient using it to summarize that same doc). Questionnaires like SIG lack context. "Do you encrypt your data?" I want to scream "It depends on the data". Either we add context via APIs or stay in Act 2 with the false illusion of security.