- This will vary according to the industry you’re in and the position of your company within that industry, as well as your company’s structure, financial and personnel capabilities, culture, size, and strategic plans for growth. Each of these elements has inherent, unique vulnerabilities and attack surfaces. When you have identified and connected these, a picture will emerge that leads to potential courses of action. Identifying the one that will have the best traction and enable you to bring them around may well be the most challenging part of this step.
- You must be seen as knowledgeable, but unbiased. This is critical.
- Present your rationale for this action/decision:
- Help them—presumably operations or finance professionals who are neither technically- nor security-oriented—to understand that the advantages of using the benefits of AI/ML and LLMs, such as ChatGPT and others, are overwhelming and should not be throttled down to a trickle, but rather enabled with solid risk management practices that include new tools and/or processes designed to meet the security needs of these new technologies.
- Explain that the inflection point facing us now is not a new phenomenon. For example, when web application development exploded in 2000 and created a new generation of digital consumers, enterprises went in full bore. Most paid no attention to software resilience when building and deploying web apps until things started to go sideways. Learning from the consequences, they adjusted their software development lifecycles with techniques and tools to improve quality. The situation today is no different with LLMs being rushed to market from all directions. Impress upon them that the enterprises that understand which tools and techniques will enable them to deploy and enjoy the benefits of these generative AI models will be the marketplace winners in the long term.
- Provide facts supporting the rationale; for example, point out dimensions of the attack surface(s):
- Data loss can occur when employees include sensitive information in queries submitted to LLMs
- Responses from the LLM can be biased or in violation of your organization’s values
- Responses can include malicious code that can be hidden or otherwise difficult to detect
- Leverage leading practices and case studies, ideally from your industry, to create a few specific examples of enterprise-specific principles that could be developed; for instance, requiring all output from LLMs to be reviewed and approved by a person.
- Include real-world examples of recent attacks that have targeted organizations like yours from internal sources, such as inadvertently shared data, and external sources, such as hackers using open-source libraries to plant malware.
- Emphasize that such threats are an escalating trend, as well as part of the price organizations pay for being at the front of the digital frontier, and that preventing attacks is not a one-time objective, but an ongoing effort with a real return on investment.
- This is a key time to begin closing the loop that shows the importance of integrating the solutions as an element of the overall security program.
- Demonstrating cyber resilience through a specific set of practices is a pragmatic approach that yields effective results. Consider this example of actions taken from the point of view of a culture of security: An EVP that reported to the CEO of a large healthcare company and who served on the company’s Security Committee became a victim of a phishing email message “from the CEO” that was actually created by a tool to test the employee's ability to recognize a phishing lure. Embarrassed by his inability to recognize the phishing test example, he stopped opening all email messages from the CEO for several weeks—his application of a culture of security—before sheepishly admitting what had happened.
- A goal that yields a better outcome is to achieve cyber resilience defined through these behaviors:
- Understand and recognize weaknesses in controls from testing and incidents
- Identify the lessons learned early in the incident-response process
- Focus on activities to manage the business impact of vulnerabilities
- Apply lessons learned in both short term and longer term
- Constantly test the effectiveness of controls
