A year after ChatGPT’s debut, is GenAI a boon or the bane of the CISO’s existence?

“In the race to innovate, developers and data scientists often unintentionally create shadow AI by introducing new AI services into their environment without the security team’s oversight,” Schindel tells CSO. “Lack of visibility makes it hard to ensure security in the AI pipeline and to protect against AI misconfigurations and vulnerabilities. Improper AI security controls can lead to critical risks, making it paramount to embed security into every part of the AI pipeline.”

Three things every company should do about generative AI

The solution, is very commonsensical. We need only step back to that which was shared in April 2023, by Code42 CISO Jadee Hanson, who was speaking specifically to the Samsung experience: “ChatGPT and AI tools can be incredibly useful and powerful, but employees need to understand what data is appropriate to be put into ChatGPT and what isn’t, and security teams need to have proper visibility to what the organization is sending to ChatGPT.”

I spoke with Terry Ray, SVP data security and field CTO for Imperva, who shared his thoughts on shadow AI, providing three key takeaways which every entity should already be doing:

• Establish visibility into every data repository, including the “shadow” databases squirrelled away “just in case.”
• Classify every data asset — with such, one knows the value of an asset. (Does it make sense to spend $1 million to protect an asset that is obsolete or worth far less?)
• Monitoring and analytics — watching for the data to move to where it doesn’t belong.

Know your GenAI risk tolerance

Similarly, Rodman Ramezanian, global cloud threat lead at Skyhigh Security, noted the importance of knowing one’s risk tolerance. He cautioned that those who aren’t watching the outrageously fast-paced spread of large language models (LLMs) are in for a surprise.

He opined that guardrails are not enough; users must be trained and coached on how to use sanctioned instances of AI and avoid those which are not approved and that this training/coaching should be provided dynamically and incrementally. Doing so will improve the overall security posture with each increment.    

CISOs, charged with protecting the data of the company, be it intellectual property, customer information, financial forecasts, go-to-market plans, etc., can embrace or chase. Should they choose the latter, they may wish to also prepare for an uptick in incident response, as there will be incidents. If they choose the former, they will find heavy lifting ahead as they work across the enterprise in its entirety and determine what can be brought in-house, as Samsung is doing.