How Chief Information Security Officers can help organizations unlock the potential of generative AI

As organizations across the world are racing to adopt generative AI at an unprecedented pace, it is crucial to evaluate the technology’s risks to the enterprise. The role of the Chief Information Security Officer (CISO) is key, helping unlock the transformative potential of generative AI while ensuring protection against cyber risks.

The newly developed generative AI systems in which organizations ingest, store and process their data are vulnerable to attacks, creating an avenue for malicious actors to steal substantial amounts of data, manipulate the output or use it to attack connected systems. Those actors may even employ their own generative AI systems, reducing the cost associated with devising and launching attacks, and increasing the breadth, depth and sophistication of those attacks. It is imperative for organizations to anticipate these risks and be prepared to respond swiftly.

CISOs need to actively contribute to key activities across their organizations to become business enablers while ensuring the secure adoption of generative AI.

Many organizations have already established a multidisciplinary centre of excellence for generative AI, encompassing teams such as legal, cybersecurity, compliance, technology, risk management and human resources. These centres typically manifest as steering committees or working groups that convene on a regular basis, actively fostering collaboration among various departments and assuming responsibility for several aspects, including:

It is key that the CISO engages in these established generative AI-focused centres to substantially contribute to the ongoing discussions across all major aspects of the technology.

It is vital for organizations to maintain an entrepreneurial spirit in their approach to generative AI. Leaders should be inspired by early adopters and evolve based on the lessons learned from deploying the technology across their own operations.

This means embedding flexibility into the governance of the technology to allow for adaptation in a safe manner. Blanket restricting access to generative AI technologies or imposing overly stringent policies is counterproductive, especially considering the high adoption rates across populations – 45% in the US and 73% in India – suggesting employees are already utilizing these tools.

New technologies will continually emerge, so organizations should prioritize developing a governance structure that accounts for those evolutions. The CISO can and should play a pivotal role in this endeavour.

Conducting comprehensive training and awareness initiatives that educate employees is crucial to ensure secure usage. By fostering a better understanding of issues such as biases in algorithms, privacy concerns and security vulnerabilities of AI systems, organizations can empower their workforce to make informed decisions when deploying or interacting with AI technologies.

It is also vital to provide guidance and clearly outline the obligations associated with the use of publicly accessible generative AI tools. Moreover, training and awareness efforts should be aligned with the ongoing monitoring of generative AI tool usage, facilitating faster responses to instances of misuse and associated threats.

When developing training programmes, it is paramount to tailor them to different target audiences to meet their needs. Cybersecurity teams, for example, should be equipped with a deep understanding of how generative AI models operate, enabling them to conduct accurate security reviews and enhance their credibility when advising IT teams.

Although AI is not a novel technology for organizations, its democratization for diverse purposes presents new challenges. In the past, organizations often centralized the utilization of AI technologies, making it easier for the cybersecurity team to track and control them. However, the widespread adoption of generative AI across organizations has made this task more complex. A critical challenge for organizations is to rapidly expand and streamline governance and risk management in tandem with the growing use of generative AI technologies throughout the organization.

To achieve scalability in governance and risk management, it is essential to establish a risk and control framework that aligns with the specific use cases and service models of the technology. Organizations should also clearly define their risk tolerance and make well-informed decisions, considering associated trade-offs.

Maintaining a balance among different risk types (model-based, data-related and legal) is crucial. The CISO offers an important perspective to get a well-rounded approach to generative AI risk management. Given that the risks posed by generative AI systems transcend various risk disciplines, it is imperative to adopt an interdisciplinary perspective in analyzing and addressing these risks.

The CISO assumes a critical role in shaping the concrete business case for generative AI, articulating its risks and challenges, and defining the key performance indicators (KPIs) that will drive targeted solutions. The CISO should strike a balance between harnessing the advantages of generative AI for the organization and its customers while ensuring the proper protection of systems. The responsibilities of the CISO with regard to generative AI technologies could encompass:

Generative AI provides a significant opportunity for CISOs to position themselves as business enablers throughout the organization. While many have taken initial steps, CISOs need to become key contributors to internal AI governance, risk management, and training and awareness initiatives to successfully contribute to the secure transformation of their organizations.

The World Economic Forum launched the AI Governance Alliance in June 2023. It aims to provide guidance on the responsible design, development and deployment of artificial intelligence systems. Read more on its work here.