Machine learning and artificial intelligence (AI) has become the competitive differentiator of our time. By 2020, Gartner predicts that almost all new products to enter the market will integrate some form of ‘smart’ functionality. All AI, though, requires data to train - both general to the function and data specific to the user. Without a strong understanding of what unique data is being collected by the AI on the organization, it can be an unnecessary risk. As a CISO, it is critical to have a foundational understanding of what AI is, how it’s used, and what value it can deliver to security organizations.
The term AI is a broad spectrum encompassing both real world applications and spanning into science and dystopian fiction. The AI that Elon Musk and the late Stephen Hawking deemed the end of humanity is general AI - the sentient, humanoid AI that occupied the cinematic worlds of 2001 and iRobot. This AI is still unseen even in the most advanced research labs and researchers say is still a ways off. The real world applications of AI that are available now fall under the umbrella of narrow AI - AI that is designed to accomplish a specific task better than a human. This AI poses little threat to even jobs as it serves as a tool to augment existing teams’ abilities and aid in the decision making process, which still necessitates a human input.
Types of core AI technologies
Machine Learning, Deep Learning and Neural Networks
This AI approach uses structured data (data that has been labeled by a human) and unstructured data (data in its raw form, more akin to what the algorithm would get in the wild), and processes that data. This processing starts with supervision of a human and eventually moves into unsupervised training, again what it will typically be doing in the wild. The outputs of a machine learning based AI reveals insights and correlations within the input data that would otherwise take significantly longer (if it was found at all) by a human.
Natural-Language Processing, Speech Recognition and Text to Speech
While text to speech has been available for some time, advances in the backend technology have significantly increased the accuracy of the technology allowing for better outputs from user input.
Enabled by the convergence of advancements in neural network algorithms, parallel processing, and digital camera quality, computer vision AI essentially allows a computer to ‘see’ and collect much of the information and data that we take in every day and take for granted. However, coupled with the power analysis of the neural network backend technology, the computer can bake predictions and provide insights that we might miss.
Machine Reasoning, Decision Making and Algorithms
By developing the assembly line, Henry Ford essentially defined business processes for the next century. Since then, much of business has been defined by algorithmic behavior. Machine reasoning AI shifts the mundane processing and rudimentary decision making to the computer, delivering to the user a completed workflow to inform more significant or complex decisions.
Business Analytics and Data Science
Much like speech-to-text, data analytics is nothing new to the enterprise. What this burgeoning field of AI is doing, though, is empowering non-technical business units previously untouched and uninformed by analytics collected to make data driven decisions. Powerful processing power as well as scalable algorithms have made the initial layers of data analysis automated, allowing end users to focus on the output and strategy impacted by that information.
Robots and Sensors
Perhaps the most broad and yet underdeveloped form of AI, robotics sits as the culmination of all the previous forms of AI. Think of every other aspect we’ve discussed as a facet of a robot’s consciousness with roboticists focusing on assembling the body to house the brain. The core focus of this industry is working to have robots in dangerous situations instead of humans.
AI in action today
Bots, Chatbots and Virtual Assistants
Today, most bots and chatbots found in the enterprise serve as an initial layer of screening before reaching a human. They have reduced the remedial workload seen by many customer service and inbound sales and marketing professionals. Virtual assistants are more broad spectrum and in the enterprise help to automate relationship maintenance with customers as well as reduce inbound customer service requests. Both chatbots and virtual assistants are powered by NLP technology and machine learning - helping to tailor the functionality of the assistant to the user as time goes on.
Analytics and Predictive Analytics Models
Perhaps the most fundamentally enhancing and impactful across industries of enterprise, predictive analytics empowers decision making essentially across the entire organization - from sales and marketing to product development. Powered by deep learning, predictive analytics deliver the foundational insights necessary to empower decision making.
Smart Objects, Sensors and Environments
Known as the Internet of Things, smart objects leverage a mosaic of AI technology to deliver a wide variety of insights and information to the end user.
What AI can do for security
Already seen in the market, AI powered cybersecurity products are capable of processing vast amount of data faster and more efficiently than a human. Previously security analysts looked for what was outside the realm of ‘normal’ (the attacker). However, a neural network has the capability to analyze everything that is normal as well as what is not, delivering significantly more robust results for detecting abnormal behavior.
Another leap for security teams in AI is the ability to see where to begin in a risk mitigation effort. Machine learning IRM platforms such as CyberStrong are capable of delivering concrete next steps to further secure your organization.
Risks inherent to AI and how to stay secure
If you don’t know what the answer is, any answer is correct
What is most exciting for an enterprise integrating AI into their organization is the possibilities it opens to optimize and perform better. However, AI itself is critically insecure. Regardless of the form of AI, they all require training data to be able to deliver insight. In the case of an AI cyber attack, it would involve implanting biased data into the model to skew the results. The risk here being that if the AI is performing functions that no human can do (the initial value proposition) the end user does not know that the results are biased outside of a training scenario.
"Machine learning models are often susceptible to adversarial perturbations of their inputs. Even small perturbations can cause state-of-the-art classifiers with high 'standard' accuracy to produce an incorrect prediction with high confidence"
- Prof Alex Madry, MIT CSAIL*
With AI integrating even further into an organization that a typical vendor or product, cybersecurity and risk management must be a critical part of the conversation.
If you are buying an AI powered solution:
Apply stringent vendor risk assessment protocols to ensure that the AI vendor is secure and the insight their solutions deliver are secure. See the CyberSaint VRM buying guide here.
What to ask a vendor saying their solution uses ‘AI’
- What is the vendors definition of AI? What form are they using?
- This helps you to vet out any products using overzealous marketing language for a product that doesn’t in fact use a form of AI to support the product.
- How does the AI make the product better?
- This allows you to benchmark the price point against the increase in efficiency or data quality. Essentially asking is the increase in price worth it?
- What aspects of the platform are enhanced with AI?
- While some platforms claim to be permeated by AI, there are certainly functions that showcase the AI than others. Compare those ‘smarter’ use cases against the business needs that you’re seeking out the solution for in the first place to ensure that you maximize the value.
- What is hard coded into the algorithm? Soft coded?
- Determine the flexibility of the AI and how tailored it will become to your organization’s data over time. This will also help allude to the data that the vendor uses to qualify itself as AI and help you determine if the insights are worth the trade off.
If you are building an AI solution
Ensure that your organization adheres to strong risk management practices that go beyond simple compliance. Supplement your existing cyber program with a gold-standard framework such as the NIST CSF and shift your strategy from a compliance focus to a risk focus. Read more about an integrated risk management program and how to make the shift here.
AI is here to stay
At its core, AI is designed to augment our abilities as humans. It can detect patterns that we might otherwise miss and process massive amounts of data in seconds. The value that AI can bring to an organization surely outweighs the risk. That’s not to say, though, that there aren’t new risks associated with integrating AI into an enterprise. As a CISO, you must stay vigilant and foster a shift to a risk-based culture to ensure that your organization stays as secure as possible as AI transforms almost every aspect of how businesses operate.
*"Towards Deep-Learning Models Resistant to Adversarial Attacks" Madri Alex et al, ICLR 2018