Get Your Mind Out of the Artificial Intelligence Rut

We all know that artificial intelligence is the new hotness. It’s hot. It’s sexy! It’s seductive. And, like many seductive things, it’s a little scary, too. In the cybersecurity world—including myself—people spend far too much time worrying about it. If AI were to describe itself in three words, it would say:

But if a security professional were to describe AI, it would take more than three words. From my recent experiences, it would take all of their words, all of the time. It would take over their thoughts night and day. It would take over their dinners, seminars, BSides, panel discussions, and board meetings… Security people would share Spotify playlists with AI professing their undying love, and every song would be Animotion’s Obsession. 

On my security buzzword bingo card, I replaced the free spot with AI.

It is a safe assumption that most cybersecurity professionals are in this business because we love the ever-changing landscape of technology. When I talk with my peers about what they love about what they do, almost all cite their fondness for constantly being challenged by new tech, new adversaries, and new threats. In light of that, I am not suggesting we stop considering how new technology might be used to help or damage our respective environments. It is what we love to do; ultimately, it is why our companies hired us.

But I believe we’re overdoing it. Cybersecurity professionals are like the dog in the movie Up—every shiny new technology is a squirrel. It doesn’t have to be this way. In the most recent Cost of a Data Breach Report Sponsored by IBM Security and conducted by Ponemon Institute, the most prevalent cause of a data breach in 2023 was phishing or stolen or compromised credentials. Not “AI.”

How to Properly Worry About AI

AI is just another data stream in your environment. Like all data streams, you need to protect incoming and outgoing data. You must teach your users the benefits and pitfalls of AI (e.g., Good: writing partner. Bad: reliable citations, etc.). You also need to make sure that you have protected access to AI. Make your AI instances internal. Block access to external models and prevent them from being used through technical safeguards and user education. If you have vendor models in your environment make sure that their external models aren’t learning from your data. This sounds like a lot, but it is data flow governance at its core—a security fundamental. What is my data? Where is my data? Who is using my data? How reliable is my data? Do my users understand the impact of their actions on my data?

Back to the Basics

To have a successful security program, we need to focus on the fundamentals. That includes knowing your data: where it resides, how it is used, and who uses it. It also includes updating your computing. How is your asset management program? How is your authentication and authorization system? How up-to-date are you on vulnerability management? Have all the libraries in your code been updated? Do your at-home users connect through VPNs?

Consider AI

I am not anti-AI. Ponemon also reported that using AI within your security posture helps reduce the impact and costs of breaches. Think of AI as the chimichurri on your flank steak. You will not get the macro and micronutrients you need from sitting down with a bowl of chimichurri—it’s a complement to the steak, not the main course. You can have a delicious meal of steak without the chimichurri, but it doesn’t quite work the other way around.

We should be considering AI. Like the intrepid security professional you are, keep an eye on trends. No one wants to fall behind on new tech and threats. But at the next CISO dinner, add a conversation on keeping up with vulnerabilities.

We should balance how much time we think about what’s new with getting the cybersecurity basics done. 

So, go back to the fundamentals and:

• Inventory your assets and make sure they are properly managed
• Get your vulnerability and AppSec management programs functional so that you are aware of when a vulnerability hits and how it affects your environment
• Tighten and sharpen your service level agreements (SLA) on those vulnerabilities
• Improve your authentication and access controls 
• Get your joiner/mover/leaver battened down
•  Teach your users how to use this data source properly – Including teaching confidentiality, integrity, and reliability of the generated information

As a bonus, guess what? You are likely enhancing your security posture with AI already. Your security tool vendors are adding AI into the tools you use (some are amazing, and some are gimmicky buzzwords). Some tools use AI to enhance everything from asset management to secure coding to auditing. These tools benefit your stack and, in some instances, can help reduce security costs. Automation also helps your employees have time for the more exciting aspects of the job.

Finally, remember that all the whizzy new AI tech doesn’t matter if you don’t have the fundamentals in place. You can put the fanciest alarm system on your front door, but if all of your valuables are on your lawn, it won’t matter.