AI is hot on everyone’s lips. Positive and Negative examples of the use of AI are readily available from news sources and social platforms. The UK Government even held a summit on the safety of AI in November 2023 inviting world and technological leaders. People are using AI more and more in day-to-day life and becoming familiar with it, seeing how it can be used to help them.
As that familiarity grows, this will permeate to the enterprise workspace with people keen to utilize the benefits that AI assistants can potentially bring them. As a security leader you will likely be or already are involved in the approval and use of AI tools in your organization. Security must be the department of know, not the department of no. Our businesses exist not to satisfy security requirements but to achieve outcomes and make profit, we must enable our organizations to thrive while remaining secure. New technologies such as AI can challenge this, but it need not be so.
Augmented not Artificial
The term “AI” is used to describe a wide range of systems, but should we consider more that Augmented Intelligence is a more accurate description? In 1997 IBM’s Deep Blue beat Garry Kasparov, who was widely considered the greatest chess player of all time. Chess is often considered as an intelligent pastime, however according to Dr Tim Wilkin, Senior Lecturer in the School of Information Technology at Deakin University, there was a far more practical reason that chess was chosen. ‘Playing chess is a matter of searching very efficiently through the many possible sequences of moves available given any arrangement of pieces on the board, to find a sequence that means I win, and you lose.’
That statement applies to the AI tools we see today, they assist us by searching through huge volumes of data, much faster than we can, to find an answer to the question we have. This is massively valuable to us. From Turing’s Colossus being used to decrypt the Lorenz cipher, to the various tools today scanning thousands of images for potential cancer signs, their aim is to do the work, quickly and accurately, allowing a human to focus on applying their wisdom to the data then presented.
Familiarity and Efficiency
People are becoming familiar with AI technologies and tools and using them to assist them in their everyday lives, I myself use AI tools to help me with excel formulas and formatting. I even tried Microsoft Copilot and was very impressed.
From an organizational level, you may be concerned about the use of AI. And you would be right to be cautious. There are many factors that should be considered, and those factors vary widely depending on the use of the system. An AI system used to make automated decisions needs more governance than an AI system that can help you remember how to create a formula in a spreadsheet. Then there is the risk of the system using the questions you ask to train itself, and being used to answer other people’s questions, creating quite the concern for Intellectual Property.
However, this is no different to any other service or software you may introduce to your organization. The same questions apply. Your due diligence for a new supplier would ask about where your data is stored, who has access, what security is there around that data and so on. Those exact same questions are what you must ask about any AI service. There may be others you want to consider such as ethics, bias, regulatory issues and transparency. Review your due diligence procedures, consider the benefits of each AI tool presented to you. Implement the necessary controls to ensure your requirements are met. By working with your people and supporting them, while educating them of the risks of these systems you will create a collaborative and supportive environment where people engage with you, rather than try to bypass you.
People Will be People.
Your people are using this technology and are seeing benefits. If we do not embrace the challenges that AI brings then we risk creating a whole new world of Shadow AI. As a security leader you are already aware that people are like water when it comes to security systems. They will always find the path of least resistance.
By understanding their needs and objectives, reviewing the systems and tools proposed and implementing pragmatic and sensible controls, educating your people around the security risks, and why those controls are necessary, you will be in a strong position to support the future of your organization and develop a security program that people don’t want to avoid or workaround.
