Yahoo Finance Why CIOs are building teams of heroic ‘guardians’ to fight enemies with new AI superpowers
Meerah Rajavel tells the team she leads at Palo Alto Networks that they need to think of themselves in heroic terms. They are the guardians of the galaxy.
“We always have to make sure that the integrity and the security of the business is protected,” says Rajavel, the cybersecurity giant's chief information officer since 2022.
But in the age of AI, being a "guardian" is a much tougher job.
A decade ago, CIOs would constantly be questioned about the cloud and be tasked with keeping track of how it was being applied across their organizations. Which pockets of the business were leaning into the cloud? How is it being used? Is it secure? Today, CIOs are fielding similar questions about AI. Organizations need to protect the large language models they use, the data that goes into those models, and the various tools that utilize AI in new ways.
“I need to know what is the AI landscape of the company and what is the security posture of those different AIs,” says Rajavel. “And what do I allow and what do I not allow?”
To rise to the challenge, even experienced IT leaders like Rajavel—a veteran of Citrix, McAfee, and Cisco—are devising new strategies and techniques, as well as doubling down on the basics. “I think finally, the true genesis of zero trust is coming into picture,” Rajavel says.
Zero trust, she explains, requires continuous employee verification at every intersection point. Team members need to be persistently authenticated for each application they are using across an organization's entire infrastructure. The trick for CIOs of course, is not driving company employees crazy with constant log-in procedures. To remove some of that friction, IT teams are implementing things like passwordless authentication.
AI-generated attacks are more sophisticated and have lowered the barrier to entry for cybercriminals. And in this environment, company employees are the weakest link, said Michael Bradshaw, the CIO of Kyndryl.
At Kyndryl, which spun out from IBM in 2021, mock phishing tests are sent out to employees to test their readiness. Kyndryl tracks the rate of success and uses that data to inform how to better educate team members about cybersecurity threats. There's also ongoing training on how to spot deepfakes, particularly those that would feature senior executives reaching out to employees through non-company-approved channels, like WhatsApp.
“If you make it fun, if you make it engaging, people will get drawn in and it's amazing what they retain,” says Bradshaw.
Amanda Fennell, CIO and chief information security officer at Prove Identity, echoes Bradshaw in stressing the importance of educating and preparing employees for these new types of AI-enhanced ruses.
“Do your compliance training, and that’s wonderful, but also teach your humans to be human and use it to their strength,” Fennell says.
Breaches tend to happen when people have an emotional response to a fraudulent request that contains elements of distress—a text message ostensibly from the CEO asking about an urgent invoice or a phone call imitating the voice of an employee's child on the side of the road with a flat tire. In those moments, Fennell says that employees need to take a beat before springing into action.
Fennell is hopeful that larger companies, like Microsoft and Google, will get more assertive with their AI cybersecurity offerings.
“What are the large heavy-hitting players coming out with that are battling cyber issues with AI?” asks Fennell. “That's what you’re going to see a lot of in 2024.”
John Kell
Send thoughts or suggestions to CIO Intelligence here.
This story was originally featured on Fortune.com
