Strategy and Governance /

Using AI to Talk to the Board about Cyber: Clever Ploy or False Good Idea?

clever ploy or false good idea cybersecurity ai

CISOs must avoid the repeat of some historical situations where cybersecurity might have been seen at odds with business needs

 

For the past two years, the business world has been trying to figure out what to do in practice with generative AI.

Because of hype and FOMO, the topic has dominated the agenda for many leadership teams, and in many cases, at Board level as well.

CISOs have not been as central to those discussions as they should have been, and many might have seen the debate around AI as hijacking their priorities.

Some may be tempted to jump on the genAI band wagon to leverage the level of executive interest and grab their share of the spotlight. The question is how.

They must avoid the repeat of some historical situations where cybersecurity might have been seen at odds with business needs, and the CISO simply as the “guy who says no”. Opposing the AI tidal wave we are currently seeing – on any ground, valid or not – cannot and will not be heard.

In my opinion, they should also avoid forcing their way into the Boardroom through FUD; the topic is potentially too serious for that and more importantly, it does not warrant it for a number of reasons.

AI and cybersecurity have several characteristics in common:

  • Data, and data integrity in particular, are central to both;
  • Governance is also central to both, in the case of AI to ensure its ethical and responsible use;
  • Regulators are stepping up their game in both areas, pushing the topic up the list with audit and compliance departments.

CISOs need to understand that AI is grabbing the top executives attention, because – essentially – its use cases are put to them in a language that they understand and relate with: Productivity gains in call centres; removal of manual tasks in back offices, etc…

Many CISOs have been stuck in an artificial dialogue with senior stakeholders for years, pushing bottom-up outdated risk-driven, ROI-driven use cases, which have just failed to hit the spot.

Business leaders must understand that cybersecurity is simply a central and natural dimension to any AI strategy:

  • Because data poisoning – malicious or negligent – can lead to wrong results and wrong decisions, with potentially catastrophic consequences in some sectors (defence, healthcare etc…);
  • Because the illegal use of personal or copyrighted data to train AI algorithms in breach of legislations or regulations can lead to legal action, reputational damage and heavy fines, not to mention personal liability in some cases;
  • Because without a clear policy around the use of AI in the enterprise, hype and FOMO will just continue to do their job across business units and shadow AI will just prevail, like shadow IT prevailed in the early days of cloud computing more than 10 years ago to circumvent the perceived rigidity and slow response times of IT departments.

This realisation is required now, not next year or whenever someone feels like paying attention.

A solid policy approach, documenting how AI usage can remain secure, ethical and responsible and how those aspects will be governed and executed across the enterprise should mechanically bring the CISO into the loop, together with other key stakeholders, and in my opinion, this is the agenda CISOs should be pushing.

This is not useless bureaucracy: AI, like cybersecurity, is inherently a matter where cross-silo interactions must be embedded. Those do not happen naturally or organically in the large enterprise, which is almost by essence, siloed, territorial and political. Those cross-silo interactions need to be engineered, fostered and properly governed, otherwise they just never happen.

CISOs, working with CIOs and CDOs who should share a similar interest, should see the policy route as the best mid to long-term way for them to secure their rightful seat at the table from which they can protect their own interests and priorities, as well as securing the business.

Like we were writing almost 10 years ago around cybersecurity, sound governance around AI is key. It is not a piece of useless consultant jargon, but an essential piece of the jigsaw, and the one that will make enterprises successful or not in that space.

 

 

JC Gaillard

Founder & CEO

Corix Partners


Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on Forbes on 6th August 2024 and can be found here.