CISO Planning for 2024 May Struggle When It Comes to AI

Just about every CISO knows how this scenario goes: Called in to brief the board, they are asked, "So what are we doing about (insert latest threat, issue or technology here)?"

This year, it is almost always going to be about artificial intelligence (AI). What are the specific threats around it — but also, how can we leverage it for security?

Ay, there's the rub. AI is changing so rapidly, making it difficult for CISOs to figure out their 2024 plans for the technology. Because AI is evolving all the time, concrete plans are often elusive.

"It is making it very hard for CISOs/CIOs to reshuffle their portfolios on a dime," says Saurajit Kanungo, president of the consulting firm CG Infinity. "AI has become the biggest monkey wrench in their annual planning for 2024. Most of the CISOs/CIOs do not have a start-up mentality to propose high-stakes strategies involved in AI, especially generative AI."

But why not? AI is certainly not a brand-new technology, although the introduction of ChatGPT to the mainstream has made it the hot topic for the past year. On one side, Kanungo says, CISOs and CIOs have stakeholders — the CEO, board members, and peer C-suite executives — who can't stop reading and hearing about the potential of AI every day. These key stakeholders are expecting an answer to the question, "What can AI do for our business?"

On the other side, the CISOs and CIOs know that the promise of AI is perhaps overhyped and premature.

"The CIOs and CISOs are in a bit of a quandary as to what their position needs to be," he says. "Do they play the risk card and stay conservative or go full throttle on AI and play a high-risk high-reward game? Overnight, [they] are expected to develop a startup mentality, while they grew up in a risk-averse enterprise mindset."

The Evolving Threat Landscape Also Includes AI

When it comes to AI, CISOs need to also consider, beyond budgeting and planning, what they are hired to do: protect the company. Results earlier this year from Team8's "2023 CISO Village Survey," which asked 130 global CISOs about several concerns, revealed that 48% think AI security is one of the most acute problems they face when it comes to risk management, and that existing solutions fail to meet the needs and risks of AI.

"Rapidly evolving and sophisticated tactics enabled by AI, such as social engineering techniques and AI-enabled voice and email messages, make it more difficult for leaders to develop security protocols for the upcoming year," says Michael Jabbara, VP and global head of fraud services at Visa.

The current stage of generative AI, and its ongoing evolution, makes predicting its influence — and how threat actors will use it — all that more difficult. Matthew Martin, board adviser at Ironscales and former deputy CISO at LPL Financial, says security leaders must remain agile to both harness the potential benefits and safeguard against the emerging threats.

"The rapid evolution of AI, specifically generative AI, poses challenges for CISOs and CIOs in crafting their 2024 plans," Martin says. "Keeping pace with changes demands a flexible approach, making long-term planning more complex as organizations strive to harness the benefits of AI while staying resilient."

On the flip side, generative AI can also help people identify security vulnerabilities efficiently and notice new tactics or patterns used by threat actors. That must also be considered when planning for technology investments.

"CISOs need to acknowledge both the risk and potential of the rapidly changing AI landscape," says Justin Shattuck, CISO at Resilience. "Hackers may use large language models for social engineering attacks, presenting distinctive challenges."

In the face of uncertainty, CISOs can try to gain some control through well-defined policies and guidelines, according to Myke Lyons, CISO at Snyk. While challenging, the disruptive pace of AI innovation can be harnessed effectively by adopting interoperable tools and strong security practices.

"With AI becoming a necessity for organizations, CISO planning for 2024 needs to account for gaining control through policies and guidelines," Lyons says. "The disruptive pace of AI innovation poses challenges for planning, but adopting widely interoperable AI tools and embracing secure AI best practices can help organizations navigate the evolving landscape."

Navigating an Uncertain Future With AI

The uncertainty surrounding AI's trajectory makes 2024 and beyond challenging for CISOs. So what's a CISO or CIO to do when planning for the next few years?

"I think the smarter approach would be to develop a multiyear strategy for AI," says CG Infinity's Kanungo. "The idea is to balance between the risks involved in AI and the opportunities in AI. For example, if they have existing cloud software providers offering AI-based enhanced offerings, they should consider them in the short run."

At the same time, he says the CIOs/CISOs can collaborate with their business peers to develop a multiyear strategy for AI investments. While complex to plan for, sitting this one out is not a good idea either, he notes.

"Offering a 100% risk-averse strategy to leverage AI will not go well with the key stakeholders, and the stakeholders will be more prone to look for AI experts from the outside," Kanungo says.

Of course, the key will be finding balance amid uncertainty, charting a course that both embraces the potential of AI and safeguards against its evolving risks.