The Cyber Defense eMagazine November Edition for 2023

leading to the potential exploit of backend systems or the presentation of false information to the
unknowing user. Vulnerabilities and the proliferation of the knowledge on how to use them means that
well-meaning initiatives without the right security may put relationships at risk and proprietary data
exposed. The cybersecurity playbook must keep pace with these new realities.
But using gen AI in the organization also put trust at risk. The following are steps leading enterprises are
taking to build trust that generative AI is being used responsibly:
• Build consensus about risk appetite—Accenture’s recent “State of Cybersecurity Resilience 2023”
research found that 65% of so-called “cyber transformers” apply three leading practices to excel
at risk management. By contrast, just 11% of the rest adopt a “best-in-class” approach. The
leaders apply a cyber risk-based framework that is completely integrated into their enterprise risk
management program. Their operations and executive leadership consistently agree on the
priority of assets and which operations to protect. And they consider cybersecurity risk to a great
extent when evaluating overall enterprise risk.
• Ditch the jargon—Provide non-technical explanations. Business leaders and the board need nontechnical
explanation and a common understanding to agree on governance guardrails and
appreciate the risks of having actual business data compromised. Stories and what-if scenarios
can help users gain a gut-level appreciation about the risks of undermining trust. Users need to
appreciate that once corporate data is out in the public environment, it is not coming back.
• Promote early engagement—Pilots can shape opportunities and value propositions and should
be used to provide critical feedback that should be shared with technology providers and
standards organizations. Inside the organization, this critical feedback can be used to develop
standardized business-ready applications and an enhanced understanding of necessary controls.
• Empower cross-organization governance and development—Avoid siloed development efforts.
Legal, Risk, IT, Information Security, Marketing and HR should all be engaged in charting the gen
AI journey. One enterprise we know has an “Executive Information Management Committee;
another a “funnel group” for bi-weekly evaluation of use cases.
• Offer a safe “sandbox”—The rest of the business is keen to work with gen AI tools. We hear from
CISOs that unsupervised “shadow” efforts are underway throughout many enterprises. To get
ahead of the risks of rogue efforts, establish an environment for users to test the appropriate uses
and limitations of various models, and of the data that trained the model. For example, a CISO
we know is encouraging people to experiment safely by using ChatGPT to plan their next holiday.
• Identify the prerequisites for sustainable generative AI success—A strategic discussion with
business leaders is required to ensure that the generative AI journey actually leads to business
value. There needs to be agreement on governance and a focus on investments that create
sustainable value. Priorities need to be right-sized so transformed processes are affordable.
Short-term successes should not come at the cost of overlooking responsible AI principles.
• Establish a sustainable AI architecture—Get the organization ready to use large language models
cost-effectively. Adopt a foundation model—pure play, open source, or cloud provider—that is fit
for purpose. Determine the right approach for providing access to gen AI models. Dedicated
infrastructure offers better cost predictability but adds complexity compared to managed cloud
services. A modern data foundation is required to create measurable business value from
Cyber Defense eMagazine – November 2023 Edition 29
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.