Sep 07 2023

How to Mitigate Risk In An Artificial Intelligence-Driven Threat Landscape

Bots aren’t your company’s biggest security problem; people are.

Artificial intelligence is transforming nearly every industry in the world, and every industry will have to reckon with the cybersecurity challenges it presents.

Generative AI tools such as ChatGPT have irrevocably changed the security landscape, posing new threats to cyberdefense efforts by lowering cybercriminals’ barrier to entry and helping them craft AI-generated phishing scams and malicious code at scale. 

It’s important to recognize the significant threat of ChatGPT and other AI tools. But does the technology demand that security teams deviate from the course they’re already on?

Not necessarily. AI is simply one element of a security architecture that aligns with the current threat landscape, and by their nature, these architectures are always evolving as new threats arise.

CISOs must determine where AI fits within their organizations’ existing cybersecurity risk culture to drive a human-centered framework that successfully protects the business.

Click the banner to learn how a high-performance digital workplace can help your organization.

Better Understand Your Company’s Appetite For Risk

The CISO’s main job is to drive the organization’s cybersecurity culture and manage its risk tolerance, asking, “Do I have unmitigated risk that exceeds the risk appetite of my firm?”

Although sophisticated hackers and AI-powered cyberattacks tend to dominate headlines, human error remains the largest threat to organizations, accounting for roughly 88 percent of cyber incidents. CISOs must understand the organizations they work for, gaining a clear picture of whether observed or potential risk exceeds the company’s risk appetite.

They can start by asking questions: Are employees participating in risky IT behaviors? How comprehensive and successful is our awareness training program?

Humans are the weakest link in the chain, so it’s critical for organizations to take a human-centric approach to mitigating the risk of AI and other cyberthreats.

EXPLORE: Find out three key considerations for multi-factor authentication.

Here are Four Steps to a Human-Centric Cyber Framework

CISOs should consider AI-based risk an additional layer within their human-centric decision-making process and build it into the following four-step framework:

  1. Quantify your risk. Make the failure scenarios affecting your organization quantifiable from both a business and a cybersecurity perspective. It’s critical to stay focused; not every risk can be mitigated to zero. For a business to operate, it must balance security and convenience, not security and insecurity.
  2. Maximize your controls. Invest in best-of-breed security controls and awareness training, ensuring their impact is maximized. Requiring awareness training for every employee, for example, helps eliminate plausible deniability. Employees can’t claim they didn’t know to avoid suspicious links or that there was a gap in the business’ defenses. Leverage your ecosystem of controls to share threat intelligence and create more resilient and robust defenses.
  3. Reduce your attack surface. Across people, processes and technology, do as much as you can to fortify the human firewall and minimize threats. Multifactor authentication, effective vulnerability management and getting the basics right are key. Don’t worry about zero-day attacks when you’re still struggling to patch critical issues in a timely manner. By maximizing your controls as mentioned above, you’re well on your way to achieving this.  
  4. Get the right stakeholders engaged. Connect cyber risk to business outcomes to earn funding and executive support. This involves learning the language of the stakeholder to effectively communicate risk in terms that resonate with your audience.

LEARN MORE: How artificial intelligence is impacting financial services.

Targeted storytelling applies beyond the C-suite: Before driving change, CISOs must understand who in their organization will be most affected. Have those people acknowledge that there’s a problem, then involve them in solving it. That way, they understand why multifactor authentication or security pop-ups are important, not an unnecessary burden.

Source: CISO Mag, “Psychology of Human Error” Could Help Businesses Prevent Security Breaches, 2020

How to Create an Operational and Tactical Approach to Cybersecurity

As you work through this framework, it’s critical to ensure that everything you do has a strategic, operational, and tactical perspective. Do you have the means to reach your desired outcomes?

Strategy tells you the overarching objective and path to achieve it. Operations decide how you’ll implement new programs and processes. Finally, the right tactics outline key metrics and KPIs to track success.

As you ask investigative questions and identify strategic, operational, and tactical goals for each of these four areas, they should align with your security blueprint, resiliency and risk appetite needs of your organization.

The CISO improves the organization’s decision-making process by elevating new risks, such as AI and ChatGPT, and articulating to the board (and beyond) what has changed, what the business impact will be and where the business stands against peers in the industry.

The stakes are high in an increasingly AI-driven cyberthreat landscape, but by understanding your firm’s risk tolerance and appetite, you can better prepare for the rise of AI and create human-centric security architectures built to protect.

amgun/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.