Managing the Risk of GenAI Tools

We know new generative AI tools come with risks. What are you doing NOW to manage those?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark , the producer of CISO Series , and Steve Zalewski . Joining us is our sponsored guest, Karthik Krishnan , founder and CEO, Concentric AI .

Meet the new risk, same as the old risk

It’s easy to see GenAI's transformation potential, and we need to rewrite the security playbook around it. But Edwin Covert of Bowhead Specialty cautions us to treat GenAI like any new tech, saying, "This is a risk that should be managed like any other. The first step would be understanding why the organization is concerned and then articulating the risk so that users understand why the organization thinks the risk is important. If you can't do that, everything is just good money after bad." Knowing what you’re dealing with regarding tooling within your organization is also critical.? "Work on having an AI inventory with sanctioned AI tools/solutions to help you track areas and their risks. Hire a vendor to assist you with an AI risk assessment to work on areas for improvement," said Mauricio Ortiz, CISA of 默克 .

Understanding where your risks are coming from

Many security professionals quickly point out that security teams don’t have visibility into how GenAI models work. The dreaded black box can hold untold risks. However, that isn’t what most organizations are worried about regarding governance. "The clients I've spoken to are more concerned about the models being socially engineered since models cannot use their ‘spidey sense’ to distinguish an imposter or corrupted employee from a standard daily job function prompt. AI governance has to be pipeline-level protection, not model protection," said Matt Konwiser of IBM .

Identifying best practices

GenAI will make it impossible to keep sweeping bad data hygiene practices under the rug. We know what we need to do; it’s a matter of implementation. "This begins with solid enterprise and applications architecture. You can write all the policies you desire. Still, if you cannot monitor and enforce written policy, it will be circumvented," said Brian Clark of Info-Tech Research Group . Chad Boeckmann of TrustMAPP offered his best practices: "Ensure the data you will be using AI with is in the proper layout and is scrubbed from PII and other confidential information. Protect this data store accordingly and keep it outside production systems for now. Leverage AI for Internal to Internal Use Only, refine the process, and test the outputs, including data security. Once confidence is achieved, extend the use of AI to trusted external parties.”

Know what you’re getting into?

Organizations can’t get caught up in the GenAI hype cycle for its own sake. There needs to be an apparent reason for using these tools. Otherwise, all the controls and data best practices in the world won’t translate into anything meaningful. "You need a clear framing of the objectives and goals of the initiative. If those are not clarified beforehand, you will not take a coherent set of appropriate actions on purpose to achieve them. Not engaging in this framing exercise is generally why almost all projects fail. So, the first risk companies must address is the possibility of solving an irrelevant problem with an ineffective solution. Solve for business relevance first, and the ability to address almost all other relevant risks generally comes into sharp focus," said Robert D. Brown III of Resilience .?

Thanks to our unwitting other contributor, David F. of Mastermind.

Please listen to the full episode on your favorite podcast app or over on our blog , where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast , please go ahead and subscribe now.

Listened to the full episode .

Huge thanks to our sponsor, Concentric AI

Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts , Spotify , YouTube Music , Amazon Music , Pocket Casts , RSS , or just type "Defense in Depth" into your favorite podcast app.

Join us TOMORROW [11-01-24], for "Hacking Your Cyber Brand"

Join us this Friday, November 1, 2024, for?“Hacking Your Cyber Brand: An hour of critical thinking about building how people see your company in this industry.”

It all begins at 1 PM ET/10 AM PT on Friday, November 1, 2024, with guests Gianna Whitver , co-founder and CEO, Cybersecurity Marketing Society ?and Andy Ellis , partner, YL Ventures . We'll have fun conversation and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup.

Register

Cyber Security Headlines - Week in Review

Make sure you?register on YouTube ?to join the LIVE "Week In Review" this Friday for?Cyber?Security?Headlines?with?CISO Series?reporter Richard Stroffolino .?We do it this and every Friday at 3:30 PM ET/12:30 PM PT?for a short 20-minute discussion of the week's cyber news. Our guest will be David B. Cross , SVP/CISO, 甲骨文 . Thanks Dropzone AI .

Thanks to our Cyber Security Headlines?sponsor, Dropzone AI

Jump in on these conversations

"How do you educate users? There's been lots of scams/phishing where users are losing their money" (More here )

"Help! A boss from my company wants to actively break the law"?(More here )

"Is there ever really a valid rationale for storing customer SSNs?"?(More here )

Coming up in the weeks ahead?on?Super Cyber Friday?we have:

• [11-01-24] Hacking Your Cyber Brand
• [11-08-24] Hacking MFA

Save your spot and register for them all now!

Thank you! Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at?cisoseries.com .

Interested in sponsorship,?contact me,? David Spark .