- CISO Series Newsletter
- Posts
- Luckily, We Haven’t Had to Adapt to Any New Technologies Before AI
Luckily, We Haven’t Had to Adapt to Any New Technologies Before AI
CISO Series Podcast
Luckily, We Haven’t Had to Adapt to Any New Technologies Before AI
We’re coming to understand generative AI as a platform shift in technology, which has many cybersecurity implications. But as exciting as this new technology can be, recent memory holds that we’ve been through this before. What did we learn from the emergence of smartphones that we can apply to GenAI?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Andy Ellis, partner, YL Ventures. Joining us is our sponsored guest Jadee Hanson, CISO, Vanta.
Embracing BYOAI
Businesses want to adopt AI tools rapidly. But we don’t need to rewrite the playbook. Jim Spignardo on LinkedIn noted the parallels between the rise of smartphones and the "Bring Your Own Device" (BYOD) movement. Organizations must embrace a “Bring Your Own AI” (BYOAI) approach, where companies fast-track AI tool adoption while certifying and securing the tools employees are already using. AI is increasingly embedded in almost all SaaS platforms. The primary concern is how these AI tools use company data, especially regarding training models. Creating clear AI policies is critical, particularly ensuring vendors do not use customer data for training without explicit consent. To that effect, organizations need contract terms that prevent future changes to vendor policies from overriding this consent.
The changing government contractor landscape
The discussion revolves around the Department of Defense's (DoD) rapid implementation of the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework and its implications for contractors. Notable changes include stricter compliance requirements, such as mandatory reporting of cybersecurity lapses within 72 hours and increased accountability for third-party vendors, as highlighted by Steve Lieberman on LinkedIn. This new framework holds three significant challenges: the need for continuous compliance reporting, enhanced supplier accountability, and the requirement for vendors to enforce CMMC standards on their subcontractors. There is some skepticism about the practicality of these requirements, particularly the reporting of all cybersecurity lapses. Many contractors may resort to generating excessive paperwork to meet these demands. Additionally, the requirement for some vendors to obtain FedRAMP authorization further complicates compliance, potentially creating a segregated ecosystem for federal contractors.
Creating better security outcomes
It's an industry standard to use questionnaires in compliance and third-party management. However, these are largely ineffective and don't improve data or security outcomes. Vendors are often reluctant to provide real-time or transparent information. These companies would be better off focusing on the real problems than on granular questionnaires. We need a shift towards continuously monitoring critical controls and more transparency from vendors about what's in place. Current assessment practices are too broad and fail to address a used product's security risks. Vendors should publish clear guidelines about shared responsibility controls, helping customers avoid common security pitfalls without relying on third-party services.
Automating supply chain security
Third-party security management is the name of the game for securing your supply chain. A recent Forbes Tech Council article got an industry perspective on how to improve this third-party conundrum. Automating compliance monitoring is a crucial step forward. Applying AI to extract critical security controls from complex contracts, which can then be continuously monitored and displayed to customers, can ensure these controls are enforced in real-time. Keeping an up-to-date and dynamic list of all third-party vendors in the supply chain is essential, and organizations must develop a process to track changes as vendors come and go. Focusing on incremental improvements, rather than tackling the entire problem at once, is a more practical approach to managing third-party risk.
Listen to the full episode on our blog or your favorite podcast app, where you can read the entire transcript. If you haven’t subscribed to the CISO Series Podcast via your favorite podcast app, please do so now.
Thanks to Conner Biolsi of Lewis County, NY, for providing our “What’s Worse” scenario.
Thanks to our podcast sponsor, Vanta
Subscribe
Subscribe to CISO Series Podcast
Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "CISO Series Podcast" into your favorite podcast app.
Best advice for a CISO
Whenever possible, communicate your cybersecurity program tied to return on investment, paying special attention to communicate the decisions made in business terms. Terms such as cost of breaches, potential savings from avoiding downtime, and reputation management are great places to start.” - Jadee Hanson, CISO, Vanta
Listen to the full episode of "Luckily, We Haven’t Had to Adapt to Any New Technologies Before AI."
Managing the Risk of GenAI Tools
"Productivity will find a way to get to the hands of users and employees who need them, and then the enterprises have to respond to the risks and everything that happens as a consequence." - Karthik Krishnan, founder and CEO, Concentric AI
Listen to the full episode of "Managing the Risk of GenAI Tools."
We've got our bi-weekly and daily Cyber Security Headlines newsletters available right here on LinkedIn. Go ahead and subscribe to one or both!
CISO Series Newsletter - Twice every week
Cyber Security Headlines Newsletter - Every weekday
LIVE!
Cyber Security Headlines - Week in Review
Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Ken Athanasiou, CISO, VF Corporation.
Thanks to our Cyber Security Headlines sponsor, Vanta
Super Cyber Fridays!
How Are We Solving Modern Attacks on MFA Today?
What happened to the stringent identity protection we used to get from Multi-Factor Authentication (MFA)? It’s no longer the foolproof security measure it once was.
In this video, Jason Haddix, field CISO, Flare, explains that modern malware attacks, such as Redline, steal credentials and bypass MFA through cookies. It’s probably the most popular technique we’ll discuss this Friday, November 8th, 2024, on Super Cyber Friday. We’ll take a dive deep into “Hacking MFA: An hour of critical thinking about how threat actors circumvent this mainstay of authentication” and explore advanced protection strategies for your organization’s crown jewels. We will also cover proactive measures for monitoring, identifying, and responding to such breaches.
Joining myself and Jason for this conversation will be Arvin Bansal, CISO, C&S Wholesale Grocers.
REGISTER HERE for November 8th, 2024, Super Cyber Friday
Thanks to our Super Cyber Friday sponsor, Flare
Thank you!
Thank you for supporting CISO Series and all our programming
We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing in social media, and most of all we love our sponsors!
Everything is available at cisoseries.com.
Interested in sponsorship, contact me, David Spark.