• CISO Series Newsletter
  • Posts
  • [02-06-24]--​​How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

[02-06-24]--​​How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

Author

Aaron
February 06, 2024

CISO Series Podcast
How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)

The hype around generative AI tools makes it seem like these are a totally new technological challenge for cybersecurity. But in reality, many of the challenges with securing them are the same that we've seen from the rise of SaaS and proliferation of shadow IT. Are there any lessons we learned from dealing with shadow IT that will work as we try to manage AI?

This week’s episode is hosted by me, David Spark, producer of CISO Series. We recorded this show in front of a live audience in Clearwater, Florida as part of National Cybersecurity Alliance’s Convene conference. Joining me on stage was my guest co-host Brett Conlon, CISO, American Century Investments, and our guest was Mical Solomon, CISO, Port Authority of NY and NJ. 

The shadow preceding AI

Large language models and generative AI tools are proving to be transformational technologies. But when it comes to managing these technologies, we are not without antecedents as an industry. Look no further than the prevalence of shadow IT, argued Michael Hill of CSO Online. With both AI and shadow IT, organizations are struggling with employees’ eagerness to use these tools superseding their companies’ policies and procedures for cybersecurity. While technologies may be different, the behavior is the same. The business is pushing cybersecurity into unknown territory for which they’re going to have to find solution to manage risk quickly.

Play the long game with security awareness

Too often organizations think that security awareness is binary, you have it or you don’t. In this mindset, they unleash things like phishing tests on their employees, and if they hit a certain benchmark, it’s considered a success. But as Joan Goodchild pointed out in Dark Reading, all this does is create distrust between employees and cybersecurity teams. The challenge for organizations is to create timely awareness for employees, one that helps them do their jobs, rather than serve as an impediment at best or punitive at worst. 

When did we forget about resilience?

In this conversation about awareness, we often miss the larger mark about building cybersecurity resilience. While awareness is undoubtedly part of cybersecurity, depending on it alone is effectively pushing responsibility down to employees that have many other concerns. Kelly Shortridge of Fastly made the case that this comes down to cybersecurity setting itself apart for special treatment within the business. While it’s not easy, the ultimate goal for organizations is to actually build resilience, where systems are designed to account for incidents that will inevitably occur, not treat them as unusual occurrences outside of a usual specification. 

The changing security challenges in 2024

We can all suffer from recency bias when it comes to making predictions. But we seem to be hitting an inflection point in cybersecurity, and an IT Business Canada article on vendor predictions bears that out. Several vendors saw an emphasis on resilience, partially driven by an uptick in threat actors using valid credentials. We’ve seen no shortage of those kinds of attacks in recent months, and organizations that can identify abnormal behavior of legitimate users will be at a distinct advantage. While many predicted that AI will play a major role in cybersecurity for both organizations and threat actors, some saw more business risk in using it to churn out low quality code, rather than fearing what the bad guys could do to us directly. 

Listen to the full episode over on our blog, or your favorite podcast app where you can read the entire transcript. If you haven’t subscribed to CISO Series Podcast via your favorite podcast app, please go ahead and do so now.

Thanks to our podcast sponsors, Living Security & KnowBe4

Living Security
KnowBe4

Biggest mistake I ever made in security…

"The biggest mistake I ever made as a newly minted CISO was setting up a phishing campaign at this company I just started with, and it was around payroll changes and to click the link to change your payroll, but I forgot to call payroll, and I forgot to call the help desk to let them know I was doing it." - Mical Solomon, CISO, Port Authority of NY and NJ

Listen to full episode of "How Can We Apply Our Shadow IT Failings to Botch Our AI Policy? (LIVE in Clearwater)."

Should CISOs and security vendors be in couples counseling?

When I launched CISO Series more than five years ago, it was predicated on the issue that both CISOs and vendors don't get along, yet they need each other.

Fast forward and that issue still happens today, but now we're talking about it together and it's becoming more manageable. At Cyber Marketing Con in December in Austin I asked the attendees, "Should CISOs and security vendors be in couples counseling?" Everyone said yes, and here's their advice.

Huge thanks to Cybersecurity Marketing Society for partnering with us on this video and thanks to all the people who appear in the video as well.

Is "Compliance Doesn't Equal Security" a Pointless Argument?

"Doing security is the cost of doing business. It's unfortunately, or fortunately, depending on what side of the security aisle you're on, it's a means for an organization to be more secure, to be that organization that stands out and is doing the right thing from a security perspective. That's the cost of doing business." - Derek Fisher, executive director of product security, JPMorgan

Listen to full episode of "Is "Compliance Doesn't Equal Security" a Pointless Argument?."

Subscribe to our newsletters on LinkedIn!

We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!

CISO Series Newsletter - Twice every week

LIVE!
Cyber Security Headlines - Week in Review

CSH--Week In Review-Doug Mayer, vp, CISO, WCG

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Doug Mayer, VP & CISO, WCG.

Thanks to our Cyber Security Headlines sponsor, Vanta

Vanta

Super Cyber Fridays!
Super Cyber GAME SHOW Friday

The games are ON!

This Friday on CISO Series, it's Super Cyber GAME SHOW Friday, and the competitors are coming from right Nextdoor. Yep, CISO TC Niedzialkowski and his team at Nextdoor will be competing in games such as:

  • How NOT to motivate your team

  • The Public Interest

  • That Totally SOCs

  • What is my mom talking about (in cyber)?

  • Threat Actor or Metal Band

  • Fantasy CISO

  • Department of YES

  • I Object

  • And we'll close it out with a couple of rounds of "What's Worse?!"

It all starts Friday, February 9th, 2024 at 1 PM ET/10 AM PT and at the end of the hour we'll have our meetup.

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.