8 Questions CISOs Should Be Asking About AI

Chief Information Security Officers (CISOs) are faced with the daunting task of protecting their organizations against increasingly sophisticated threats — and this will only get more difficult in the years to come with the rise of AI risks.

AI is now a tool for both attackers and defenders. Unfortunately, many cybersecurity experts see the AI risk advantage going to attackers in the near term, with a new report by the UK’s National Cyber Security Centre expecting AI to significantly increase the global ransomware threat.

In light of this, CISOs must ask critical questions about AI and its implications for cybersecurity. I've compiled eight key questions they should be considering now.

1. How does AI transform cyberattacks?

It’s crucial for CISOs to understand the ways bad actors can leverage AI to enhance the speed, efficiency, and sophistication of breaches and ransomware attacks.  

AI enables attackers to automate tasks, evade traditional security measures, and adapt their strategies in real-time. This means attacks can evolve faster than traditional prevention and detection technologies can keep up. As a result, organizations must assume breaches are inevitable, putting proactive, automated security measures in place that contain potential breaches and stop them from spreading laterally through the network.  

2. What role does basic cyber hygiene play in defending against AI attacks?

Despite the advanced capabilities of AI, basic cyber hygiene practices remain foundational to cybersecurity defence. CISOs must prioritize measures such as patch management, employee training, and secure configuration management to mitigate the risk of AI-driven attacks.

It’s important to keep in mind that the best cybersecurity practice is one that takes a layered approach. There’s no one platform or technology that can achieve total security — organizations must have defense-in-depth that starts with basic cyber hygiene.

3. Are our cybersecurity strategies aligned with the evolution of AI-generated attacks?

Recognizing that cyberattacks are an evolution rather than a revolution is key.  

CISOs should ensure that their cybersecurity strategies are adaptive and responsive to emerging threats, including those powered by AI. This is why modern security strategies like Zero Trust emphasize building an infrastructure that’s resilient to attacks rather than relying completely on the outdated assumption that all breaches can be kept out.

4. How can Zero Trust security principles mitigate the impact of AI risk?

With AI now available, the attack surface is expanding, and threat actors are getting increasingly sophisticated and targeted. Traditional detection, response, and recovery methods are no longer sufficient. Organizations should shift their focus from cybersecurity to cyber resilience. This changes the approach from just detecting and stopping the inevitable attacks to surviving them and maintaining services.  

Implementing a Zero Trust security model can help organizations limit the potential impact of AI-driven attacks by minimizing the attack surface and restricting lateral movement within the network. CISOs should assess the effectiveness of Zero Trust strategies in their security posture.

5. Are we prioritizing investments in the right areas?

It's crucial for CISOs to avoid the trap of investing disproportionately in areas that promise immediate returns but may not address the underlying risks posed by AI-powered attacks.  

A key element of this is shifting focus from security threats to security value. Especially when it comes to communicating needs with the board, CISOs should move away from reactive, qualitative reporting to more quantitative, value-based measures. Balancing investment in technology, training, and risk management is essential for long-term resilience.

Learn more about the three steps CISOs must take to prove cybersecurity value in my recent article.  

6. How can we build cyber resilience against AI risks now?

Recognizing that the threat of AI-driven attacks is imminent, CISOs must take proactive steps to build resilience within their organizations.  

Cyber resilience is business-critical in today’s threat landscape to ensure organizations can maintain operations during an attack. The best way to achieve cyber resilience is through Zero Trust, a globally validated strategy based on the mantra of “never trust, always verify.”  

A foundational technology of Zero Trust is Zero Trust Segmentation (ZTS); you can’t achieve Zero Trust without ZTS. ZTS provides a consistent approach to microsegmentation across the hybrid attack surface, enabling organizations to see and reduce risk across cloud, endpoints, and data center environments. It's easy and simple compared to attempting segmentation with static, legacy firewalls.  

7. How can we collaborate with industry and government partners to address AI risk?

With the rise of AI in 2023, global governments have started to address the risks associated with AI:

• The Biden Administration issued the Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence in October 2023 that, among other goals, “establishes new standards for AI safety and security protects Americans’ privacy.”
• The UK’s AI Safety Summit in early November 2023 brought global cybersecurity leaders, AI experts, and government officials together to discuss the risks of AI and how to coordinate efforts to mitigate AI’s impact.

It’s important for CISOs to pay attention to government resources and potential upcoming mandates around AI risks and security. Recognizing that AI-driven threats transcend organizational boundaries, CISOs should seek opportunities for collaboration with industry peers, government agencies, and cybersecurity researchers. Sharing threat intelligence and best practices can enhance collective resilience against AI attacks.

8. How can we foster a cross-functional culture of innovation and adaptability when it comes to cybersecurity?

Cybersecurity isn’t just a topic only CISOs and their teams should be concerned about — it should be an organization-wide focus.  

AI will make it easier than ever for bad actors to perform social engineering attacks. In response, CISOs should partner with leaders across the organization to cultivate a culture of security awareness and continuous learning. CISOs can lead the prioritization of open communication channels about cybersecurity between teams, encouraging collaboration on security initiatives and shared cybersecurity responsibility.

By asking these critical questions and taking proactive measures to address the challenges posed by AI-driven cyber threats, CISOs can strengthen their organizations' cybersecurity posture and mitigate the risks associated with the rapid evolution of attacks.

Contact Illumio today to learn how we can help you secure against AI threats with Zero Trust Segmentation.