It’s never easy for a subject matter expert (SME) to address an audience of decision-makers about an important topic the audience is only marginally interested in and even less knowledgeable about. Creating a solid plan for such a conversation would be a good thing.
The SME in this case is you—the CISO—and the topic is securing the artificial intelligence (AI), machine learning (ML) models, and large language models (LLMs) currently or imminently in use anywhere in the organization against real and growing threats. While imparting security-related information with just the right degree of urgency without devolving into fear-mongering has always been a challenge, it’s a challenge that has become a bit more daunting since the Securities and Exchange Commission (SEC) decided that, come October, it might want the world to know what your C-suite knows about security.
We have crafted the following plan that flips the usual script to assist you in creating a compelling, consensus-building presentation that identifies the issues your organization faces and the available solutions, encourages decision-makers to understand both, and then impels them to act.
Identify the action the board must take or the decision it must make.
- This will vary according to the industry you’re in and the position of your company within that industry, as well as your company’s structure, financial and personnel capabilities, culture, size, and strategic plans for growth. Each of these elements has inherent, unique vulnerabilities and attack surfaces. When you have identified and connected these, a picture will emerge that leads to potential courses of action. Identifying the one that will have the best traction and enable you to bring them around may well be the most challenging part of this step.
Step out of the role of SME and become a facilitator in the consensus-building process.
- You must be seen as knowledgeable, but unbiased. This is critical.
Introduce the proposal as an idea to generate dialog and be prepared to use your powers of persuasion to lead them to consensus.
- Present your rationale for this action/decision:
- Help them—presumably operations or finance professionals who are neither technically- nor security-oriented—to understand that the advantages of using the benefits of AI/ML and LLMs, such as ChatGPT and others, are overwhelming and should not be throttled down to a trickle, but rather enabled with solid risk management practices that include new tools and/or processes designed to meet the security needs of these new technologies.
- Explain that the inflection point facing us now is not a new phenomenon. For example, when web application development exploded in 2000 and created a new generation of digital consumers, enterprises went in full bore. Most paid no attention to software resilience when building and deploying web apps until things started to go sideways. Learning from the consequences, they adjusted their software development lifecycles with techniques and tools to improve quality. The situation today is no different with LLMs being rushed to market from all directions. Impress upon them that the enterprises that understand which tools and techniques will enable them to deploy and enjoy the benefits of these generative AI models will be the marketplace winners in the long term.
- Provide facts supporting the rationale; for example, point out dimensions of the attack surface(s):
- Data loss can occur when employees include sensitive information in queries submitted to LLMs
- Responses from the LLM can be biased or in violation of your organization’s values
- Responses can include malicious code that can be hidden or otherwise difficult to detect
- Leverage leading practices and case studies, ideally from your industry, to create a few specific examples of enterprise-specific principles that could be developed; for instance, requiring all output from LLMs to be reviewed and approved by a person.
- Include real-world examples of recent attacks that have targeted organizations like yours from internal sources, such as inadvertently shared data, and external sources, such as hackers using open-source libraries to plant malware.
- Emphasize that such threats are an escalating trend, as well as part of the price organizations pay for being at the front of the digital frontier, and that preventing attacks is not a one-time objective, but an ongoing effort with a real return on investment.
Map these dimensions to common business practices for the enterprise.
- This is a key time to begin closing the loop that shows the importance of integrating the solutions as an element of the overall security program.
Promote the establishment of a culture of cyber resilience, rather than security.
- Demonstrating cyber resilience through a specific set of practices is a pragmatic approach that yields effective results. Consider this example of actions taken from the point of view of a culture of security: An EVP that reported to the CEO of a large healthcare company and who served on the company’s Security Committee became a victim of a phishing email message “from the CEO” that was actually created by a tool to test the employee’s ability to recognize a phishing lure. Embarrassed by his inability to recognize the phishing test example, he stopped opening all email messages from the CEO for several weeks—his application of a culture of security—before sheepishly admitting what had happened.
- A goal that yields a better outcome is to achieve cyber resilience defined through these behaviors:
- Understand and recognize weaknesses in controls from testing and incidents
- Identify the lessons learned early in the incident-response process
- Focus on activities to manage the business impact of vulnerabilities
- Apply lessons learned in both short term and longer term
- Constantly test the effectiveness of controls
Conveying the gravity of the threats organizations face in this emerging AI-imbued ecosystem without creating a panic in the boardroom requires a deft and conscientious approach. By following the steps above, you will enable decision-makers who might not have security on their minds to understand that steps taken today will create a more secure, resilient, and prosperous organization tomorrow.
