"GenAI is inevitable, so be prepared to manage its flow."

In his thought-provoking article "A year after ChatGPT’s debut, is GenAI a boon or the bane of the CISO’s existence?" Christopher Burgess raises an important question about the implications of GenAI and unstructured data for Chief Information Security Officers (CISOs). His article delves deeper into the topic, examining the potential risks associated with unstructured data and the threats posed by both insiders and outsiders.

In short, with the advent of open-ended, chat-based artificial intelligence systems like ChatGPT, we have witnessed a significant advancement in natural language processing capabilities. These AI systems are designed to interact with humans conversationally, allowing users to generate and obtain information. As the saying goes, "With great power comes great responsibility", and GenAI is potentially the greatest example of that responsibility. In this case, we'll talk specifically about securing an organization's most sensitive data.

Earlier this year reports allegedly indicated that several employees of a large manufacturing company inadvertently leaked sensitive company data on three separate occasions. The information the staff tech giant supposedly leaked included the source code of software responsible for measuring semiconductor equipment. Unfortunately, this type of incident is happening with greater frequency and negative financial impact.? Loss of data where a ChatGPT-like bot is involved has become so prevalent it’s been given a name:? Conversational AI leak.

LLMs like #ChatGPT allow for connections based on an application programming interface (API), which allows companies and staff to connect with the AI service and, in turn, reveal sensitive data. As ChatGPT and its rivals have increased in popularity, sensitive data leaks have become inevitable.?Given current threats and the growing use of LLMs and the dreaded #ShadowAI; organizations have to start thinking about protecting their data a different way.

Addressing Unstructured Data Risks:

To combat the growing challenges posed by unstructured data, organizations must adopt a data-centric approach. For years, the dominant theory has been to build security around the network: protect the perimeter and keep bad actors out. Clearly, this isn't sufficient given the explosion of devices, cloud storage, and applications and the pervasive blurring of the definition of "network" to the point where it is difficult to determine where a network starts and stops.? How do we know it's failing? A daily review of the successful ransomware and data breaches shows how traditional strategies alone have failed to meet the challenge. A simple Google search and we can see the articles measured in hours and days, not weeks and months.

Let's further scope the problem:

• In our hyperconnected world, data ties us together and it’s on the move. Beyond the edge of your networks. Collaboration is necessary but creates challenges when it comes to data privacy, compliance, and security.? I think it's safe to say, organizations have spent the last 20+ years managing the POSSESSION of data; however, in today’s world, we need to start enabling the business by adopting an integrated approach to maintain control of the data.
• In the face of this cyber onslaught, organizations around the world spent around $150 billion in 2021 on cybersecurity, growing by 12.4 percent annually. Other estimates suggest we might reach as much as $219 billion in 2023 (Worldwide Security Spending Guide). While all other tech sectors are driven by reducing inefficiencies and increasing productivity, cybersecurity spending is driven by cybercrime.

• Globally, we continue to set records in the number of reported breaches each year with October 2023 being the highest in recorded history. More than 1000 breaches and another 6 million files were breached. At the current rate of growth, damage from cyberattacks will amount to about $10.5 trillion annually by 2025—a 300 percent increase from 2015 levels
• The exponential growth rate of unstructured data is not a new phenomenon. As per IDC, by 2025, the total amount of data on our planet will reach 175 Zettabytes (that is 175 with 21 zeros) and 80% of that will be unstructured data.?

What are my options?

Now, with attacks becoming more frequent, with security and privacy concerns being elevated to the C-suite across industries, geographies, and enterprises whatever their size, cybersecurity and alignment with the requirements of the GTM teams is essential.

"CISOs, charged with protecting the data of the company, be it intellectual property, customer information, financial forecasts, go-to-market plans, etc., can embrace or chase. Should they choose the latter, they may wish to also prepare for an uptick in incident response, as there will be incidents. If they choose the former, they will find heavy lifting ahead as they work across the enterprise in its entirety and determine what can be brought in-house, as Samsung is doing".

Option 1: "Chase your Data": In August of 2023 research from BlackBerry revealed that 75% of organizations worldwide are currently implementing or considering bans on ChatGPT and other Generative AI applications within the workplace. 61% of those deploying or considering bans said the measures are intended as long-term or permanent, with risks to data security, privacy, and corporate reputation driving decisions to take action. Hardly a strategy given it fails to recognize how data is shared today.

Whether collaboration is occurring internally, or with 3rd party suppliers, contractors, partners, etc. -- data is being shared with others who may not share the same feelings on Generative AI and the risk is poses with their data --- and yours. Since most of the world’s data, including most real-time data, is unstructured, the ability to analyze and act on it presents a big opportunity when leveraging AI. This untapped resource with the potential to create a competitive advantage for companies that figure out how to use it making "banning" or "chasing" your data a non-starter as a strategy for companies.

Option 2: Embrace GenAI and "think differently."

Shift focus to "data-centric security" by embracing new technologies AND enabling security around the data itself. For decades, the security industry has focused on a perimeter-based approach to control the furthest-reaching parts of the enterprise –– the “perimeter.” Yet, forces like remote work, cloud adoption, reliance on third-party partners, and now GenAI have made it so that the modern enterprise. Data itself is now the furthest-reaching part of the enterprise. If we try to protect our IP, our partner's sensitive plans, our customer's PII, etc., and leverage legacy approaches where access = breach; failure is near certain. If we move to a new world where access DOES NOT equal Control; embracing and enabling the enterprise becomes possible.

By securing data itself, organizations can retain visibility and control of their sensitive assets, both internally and/or while sharing critical information with third-parties, cloud environments, etc. By focusing on protecting data rather than networks or endpoints, organizations not only protect their most critical and sensitive assets but also proactively mitigate the impact of any future breach. Further - all the upside offered by GenAI doesn't have to be traded for maintaining control of an organization's most sensitive documents.

Conclusion

Corporate leaders, academics, policymakers, and countless others are looking for ways to harness generative AI technology, which has the potential to transform the way we learn, work, and more. In business, generative AI has the potential to transform the way companies interact with customers and drive business growth. New research shows 67% of senior IT leaders are prioritizing generative AI for their business within the next 18 months, with one-third (33%) naming it as a top priority. Companies are exploring how it could impact every part of the business, including sales, customer service, marketing, commerce, IT, legal, HR, and others must recognize the data security threats as well.

As we navigate through this revelation, for those who continue to chase new challenges in protecting their most sensitive data with legacy strategies; data breaches will continue to serve as a wake-up call. In its very brief time in the market, we've already seen the importance of implementing safeguards, especially when data privacy, compliance, and security are at stake. A proactive approach like Seclore ensures the seamless integration of AI tools into your workflow without compromising data security.

I fear, for some, internal responses may not rise to the occasion until the threats become more evident. For others, they'll work closely with security leaders to tackle these security risks to ensure a risk-focused approach. This includes identifying potential risks associated with generative AI and developing measures to mitigate those risks. Taking actions that include a data-centric security approach continues to be a beacon of hope for organizations big and small.

#datasecurity #cybersecurity #semiconductor #manufacturing