At last week’s RSA Conference (RSAC), a number of vendors and the media were focused on artificial intelligence (AI). Moving forward, we need to take a reality check on AI because it’s such a large, broad topic and there are so many different levels of AI.
The AI that’s available today functions just a few steps above automation. It's about using algorithms and machine learning and natural language processing.
So, people shouldn’t think that all of a sudden machines will come to life and think for themselves. That's an AI that's still far away. We will get to a place where our machines can think for themselves, but right now we’re just at the tipping point.
We're really focusing on automating repetitive tasks, getting information much more quickly, and making faster decisions. So, we're really talking about assisted intelligence, getting information humans can't process as quickly. And that lets humans make more vital decisions faster.
AI programs like ChatGPT are now used to help create outlines and templates for some code that users can then go and customize and personalize. It’s almost like a predictive coding or predictive chat. And that's really the next level.
But adversaries – cyber attackers – also use AI. These applications can collect and process personal data much faster than a human can to socially engineer smarter, more clickable phishing emails. They're also using it to create malware more efficiently.
Security professionals use AI to analyze data so they can make critical decisions faster, to create multiple examples of security strategies and best practices, write better reports, and to automate as many tasks as possible. The more we can reduce wasted time through automation, the more efficient we become.
As with all technologies and innovations, they can be used for both good and bad intentions. Good AI helps employees make faster, better-informed decisions. And, when an action gets performed once, AI will make those tasks repeatable, using intelligence to adapt based on machine learning and context.
A look ahead
So while attackers are using AI, at the core, it's no different from most existing attacks today. And, frankly, I don’t think that it's a priority for businesses right now. They are looking at it, they're checking it out, but the reality and priority are not aligned to the hype we saw on the RSAC show floor with some vendors. Ultimately, it's still really about cybersecurity basics, the simple tasks such as cyber training, phishing reporting, and using MFA.
One of the many benefits I derived from RSAC were the constructive conversations around how to communicate more effectively to the executive team and the board. That was a big topic on the first day and I attended many sessions that challenged me to think about understanding the board's perspective, what issues they prioritize. I also learned more about how to convert technical jargon into business outcome decisions, and that's what a lot of CSOs and CISOs are really looking for.
Another takeaway for me was around cloud security. Many organizations have accelerated their cloud transformation over the last few years. They're adopting cloud services, have much compute power and they're looking to adopt and build that much faster, but they're behind in security. They've done it in haste, and they already have technical debt, and now they're trying to catch up and they realize that just shifting what they do on-premises into the cloud doesn't work. It's more expensive, it's difficult, and it may reduce both security and efficiency in the cloud. So, we're really looking at cloud-native security solutions to protect both public and private cloud environments. I think many organizations really want to do better and want to learn best practices for cloud security.
Finally, there was a lot of talk about cyber insurance and trying to understand how it works. I think many business and security leaders think that cyber insurance can function as an alternative to security, but it's not. It's a financial safety net for security when bad things happen. But the insurance companies are struggling to quantify cyber risk, to get that data. They reduce risk today by increasing prices to reduce their exposure until they better understand the right moves to make that can reduce the risk for the organizations that they insure.
Overall, RSAC was a great conference that brings people together to share knowledge, experiences, and lessons learned to help make the digital world a safer place.
Joseph Carson, chief security scientist and Advisory CISO, Delinea
