GenAI: Assessing Risk and Compliance
Graydon McKee - MSIA, CISSP
Former Chief Information Security Officer (CISO), Fortune 5 Experienced Information Security Executive
Welcome to the fourth installment in this series. ?Hopefully you have enjoyed reading this as much as I have enjoyed writing it.???
?
In the first article we covered what Artificial Intelligence (AI), Machine Learning (ML), and GenAI are and what some of the key capabilities GenAI brings to the table.?? The second article dove into the different ways that GenAI can enhance our capabilities in detecting threats in our environments.? As a reminder, those capabilities are large scale data analysis, pattern recognition, anomaly detection, contextual understanding, predictive capabilities, and continuous learning.?? Article three switched to incident response and how GenAI can enhance our capabilities there.? In this fourth article, we take on the role that GenAI can fill in how we manage and assess risk and maintain compliance.?
?
The capabilities we discussed as being beneficial to Threat Detection and Incident Response, again come into play as we take on the role of assessing and managing risk.? ?GenAI can analyze large datasets to detect patterns, trends, and any anomalies.? ?Each of these can be scored giving us a better perspective into the risk inherent in our environments.?? Couple this analysis with GenAI’s contextual understanding and predictive capabilities and we have the right data upon which we can have informed discussions on risk.? We can decide which risk is acceptable to carry and which risks need to be addressed and the priority for each.? ?
?
Beyond simply identifying and prioritizing risks, GenAI can go one step further and, if trained properly, can recommend appropriate mitigation strategies beyond the simple, patch the system recommendation.??
?
领英推è
As GenAI can be trained to understand the context of the risk situation, it will know where each risk sits in the environment.? It can then examine the existence of compensating controls to determine if they are sufficient to mitigate individual risks.? If it finds that these compensating controls are not adequate, it can recommend changes or additions that will reduce one or more risks to acceptable levels.? ?It is a bit like having the high dollar consultants from the big firms on speed dial except you don’t have to pay them exorbitant fees.?
?
Additionally, GenAI can continuously analyze and monitor your environments to track remediation efforts and automatically generate detailed risk reports.?? These reports can also be at different levels of details with the most details being included in technical reports for technical individuals and executive level summaries for executives.?
?
These reports are a good segway into how GenAI can help us maintain regulatory compliance.? ?The ability of GenAI to actively monitor and report on our compliance support our responsibilities to maintain compliance with the various laws and regulations that impact our business and industry.?
?
I’m going to bring this to a quick close this week.? At this point we have covered all the different areas where GenAI can help support our cybersecurity programs.? The key word in that sentence was “supportâ€.? ?GenAI can be a great tool to help support our programs, remember it is simply a tool and doesn’t replace human intuition and judgement.? Next week we will start to bring this series to a close with a quick review of what we have covered and a discussion about the challenges of implementing GenAI.??