Enterprise companies typically approach data governance and security through a compliance lens, ensuring compliance requirements are fulfilled but this can oftentimes leave threats unaddressed. Compliance is essential but not the whole story. A complete security strategy should include a risk-based, threat-driven approach that mitigates operational risks or applies compensating controls. To accomplish this, the focus must be on investing in risk reduction methods to prioritize access control, encryption and other incident response measures. And companies need to mature data governance to ensure core cybersecurity capabilities are well invested in to create a resilient security posture capable of meeting regulatory requirements and mitigating risks.
AI is accelerating the evolution of cyber threats as bad actors leverage it to efficiently identify vulnerabilities, automate attacks, generate sophisticated phishing schemes and rapidly exploit vulnerabilities. In addition, AI is making access control more difficult and complex. Organizations must go beyond legacy access management models and adopt more refined identity-based access controls to ensure the correct users have access to sensitive information and workflows, at the correct times. To accomplish this a more adaptive risk-based approach is required to prevent unauthorized access.
While AI is being integrated into cybersecurity frameworks, it’s still immature with its own set of vulnerabilities, such as being prone to manipulation, exploited via data poisoning, and prone to hallucinations that generate erroneous information. These early AI traits make relying on AI for governance and cybersecurity dangerous. However, as AI improves, it will become more sophisticated and thus more reliable for detecting threats, enforcing policies, and reducing the ever-present specter of human errors. For now, organizations should only leverage AI to enhance risk management, anomaly detection, and other security workflows. As far as complete reliance, we are not there yet.
A key point to always recall: Only users of data can determine its fit for use. Access to data and systems must be tightly controlled, monitored, logged and tested. Organizations cannot afford to have broad or unrestricted data access. Instead, the access needs to be dictated by a user’s interaction with the specific model they are interacting with. In addition, organizations must develop controls for testing these model outputs and track the accuracy over time for continuous validation and accurate benchmarking. Finally, a structured prompting process must be implemented to increase the likelihood of meaningful outputs. This will ensure AI interactions follow predefined guidelines, e.g., well-structured prompts to help enhance accuracy and results. The bottom line is that while we are busy training AI models, we cannot lose sight of the importance of having well-trained users capture value from their data.
___
About Greg Sullivan
Greg Sullivan is a former Fortune 100 CIO, CTO, and CEO, brings decades of experience in global technology innovation, risk management, and cybersecurity leadership with companies like Carnival Corporation (CIO), Global Velocity (CEO & CTO) and G.A. Sullivan (now Avanade) (CEO). He has been a driving force behind integrating cybersecurity into corporate governance, ensuring that risks are addressed at the board level to protect industries, infrastructures, and economies. His strategic insight ensures that CIOSO Global’s solutions align with operational and business objectives. Greg holds a BS in Systems Science & Mathematics from Washington University in St. Louis and is a Certified Information Systems Security Professional (CISSP).
About CIOSO Global
CIOSO Global is a premier cybersecurity services provider, offering a comprehensive suite of risk-based cybersecurity solutions. Backed by decades of experience and expertise in public and private sectors, CIOSO Global helps organizations develop and implement robust cybersecurity strategies that reduce risk and ensure compliance with industry regulations. By combining advanced technological innovations with proven best practices, CIOSO Global equips companies with the tools and insights to maintain a robust cybersecurity posture in today’s ever-evolving threat landscape.
