Leadership Development /

Generative AI and Cybersecurity: The Big Untold Problem

untold problem cybersecurity genai

Hype and FOMO around generative AI are hijacking crucial discussions around cybersecurity in many firms

 

Everybody is talking about generative AI. You must have been living at the bottom of the deepest cave for the best part of the last 18 months if you haven’t noticed it. It is hard to find any content online that does not refer to it and, rightly or wrongly, the topic is inviting itself in all conversations.

If you have been around the tech industry for long enough, you can be forgiven for taking a slightly cynical view on the situation. After all, we have heard a lot of it not so long ago about the Blockchain: Tech firms and their marketing people have long established “grifting” habits as the Deepmind co-founder reminded us in a recent interview with the Financial Times.

The purpose of this piece is not to add to the debate about the impact generative AI is – or is not – going to have on business or on the world or on the future of work.

Of course, at every cycle, we hear that “this time it’s for real” but, looking at the situation slightly from the sideline and with cybersecurity in focus, for now I see a number of shapes emerging that are very rarely discussed in the current context.

First of all, the amplitude of the hype wave around generative AI is colossal, and we cannot be sure we have reached the peak (although the comments from Demis Hassabis mentioned above – and some emerging vendor surveys – could be a hint that we are near it).

Over the past 12 to 18 months, every board has been asking questions about it to their executive team; every executive has been asking questions to their team; every team is currently engaged in various experiments, pushing to an extreme the old shadow IT problem firms have been experiencing in some shape or another since the advent of SaaS solutions over 10 years ago. Most of it is happening without significant concerns about data security, privacy, legal or copyright issues or even any significant understanding of what the underlying technology is doing to the data in many cases.

Even leaving those aspects aside, what is the most concerning – and the most rarely discussed – is the monumental amount of time and resources this is consuming, and the often very low level of actual productivity those discussions are having, between executives who rarely understand the questions they should be asking, and technologists who rarely understand the underlying platforms and the full implications of their usage.

The amount of time spent figuring out what generative AI could do is simply not spent on other topics and the situation creates a mounting amount of managerial and leadership debt, leading mechanically to delays on decisions and depriorisation of non-AI related matters, irrespective of their nature or relative urgency.

Why is this a problem for cybersecurity in many firms? Because where cybersecurity maturity is low and needs to improve, getting the basics right is almost always the key, and it rarely involves AI in any form.

CISOs – who already had a near-impossible job to handle – now see a number of new fronts opening up in front of them.

They need to get a grip on the complex implications of a relatively opaque technology in terms of data security, carried across the enterprise by an unmeasurable wave of shadow IT.

They are expected to brief their bosses and sometimes the Board on the risks involved, but may face the inflated, unsubstantiated expectations created by the colossal hype cycle the world is going through.

They may face difficulties justifying any non-AI related new activities, if they can find the time to continue pushing those, irrespective of their actual importance for the protection of the firm and its business.

Allowing hype and FOMO to hijack those decisions around cybersecurity could be a high price to pay in many firms, in particular where maturity is low, and resources are scarce.

The time is probably coming for some common sense to return and for things to slow down and be put in perspective to allow those crucial discussions to take place.

 

JC Gaillard

Founder & CEO

Corix Partners


Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.

Corix Partners is a Boutique Management Consultancy Firm and Thought-Leadership Platform, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.

An edited version of this article was published on Forbes on 29th April 2024 and can be found here.