Table of Contents

• CISO’s Guide to AI

• Get Securing Things on your Mobile Now :-)

• (Sponsored - Non AI cybersecurity)

• 50 Curated References as additional Guidance

• My Recent Most Viewed Posts:

• Ways in which I can help?

• My Asks

Hi Securing Things Community,

In this newsletter edition, I’ll be sharing 12 steps CISOs guide to start Securing Things for the use of AI within the business, some of my previous guidance that CISO’s may find useful when tackling AI related risks to their business operations. In addition, 50 reference guidance for CISOs, some of my most viewed social media posts (in case you’ve not seen), sponsors message and my asks.

CISO’s Guide to AI

CISO’s needs to be on top of both the business benefits and also the risks that the use of AI within the business operations presents and establish an AI Security and Risk management strategy to address AI related cyber risks.

Here’s a list of 12 high-level steps CISO’s can take, to start addressing AI risks:

1. Build an AI business inventory of use cases across all business units, including tools / solutions, online services / 3rd party service providers, local LLMs etc. both across IT & OT environments - covering everything from the board room to the plant floor and throughout the 6 layers of automation stack from Cloud to Level 0 devices (sensors etc.).

2. Review existing and in-progress contracts, EULA agreements for the products / solutions / services using AI technologies.

3. Assess AI risks to the business - via AI specific reviews - be it against industry best practices standards (AI ISO standard), frameworks and or guidance (NIST AI RMF).

4. Build an AI Cybersecurity roadmap to address the identified risks via administrative and technical controls.

5. Define an AI Cybersecurity policy, as part of administrative controls - draft, socialize and enforce AI cybersecurity policy. Checkout my guidance on building blocks of AI Cybersecurity policy and reference guidance.

6. Ensure Security Awareness Program includes AI related risks - All use and best practices are factored into existing Security Awareness Program and more focused learning for role based trainings for heavy AI users.

7. Ensure use of Cybersecurity tools and solutions as part of technical controls - that directly mitigates or minimizes the risks identified earlier.

8. AI SBOM and supply chain related risks are factored into overall cybersecurity or supply chain risk management program.

9. Ensure strong access control processes are established to approve and allow the use of AI for business.

10. Ensure, the use of AI is monitored for data leakage and breaches as part of the overall cybersecurity monitoring program.

11. Ensure, Incident Response (IR) plans includes AI related incident scenarios - AI IR playbooks defined and included as part of table top exercises / drills.

12. Ensure, to keep tabs on latest industry developments, attacks, threat intel against the list of AI business inventory solutions.

Plus, misc. other steps specific to your business needs… e.g. if you are in developing AI solutions for businesses, security around the development, product/solution and delivery processes.

I’ve also previously shared some insights - check them out on the following:

• AI Cybersecurity Policy & Reference Guidance - which covers; AI cybersecurity policy construction (key elements), steps for a policy build execution project and several reference standards, frameworks and guidance documents.

• Use of AI in Cybersecurity - Insights, Guidance, News and All - covering market insights, some list of tools and soon to be updated list of cybersecurity tools using AI features, mapped across the 5 domains of NIST CSF v2 framework.

• See section Artificial Intelligence (AI), Guidance & Regulations - list of useful AI cybersecurity and risk management resources, standards and guidance available that serves around governing the use of AI.

Comment below to add anything critical that I have missed.  

Get Securing Things on your Mobile Now :-)

• Visit Securing Things Newsletter website on your mobile browser - and the Install App pop-up will appear

• Press Install App, and a pop-up will appear, click Install to download & deploy the app package on your mobile

• Back on the browser —> Click Enable to get push notifications on the phone for new published content. On the pop-up click "allow”.

• See the Securing Things Icon that appears as an App on your phone.

And that’s’ all.

(Sponsored - Non AI cybersecurity)

If you’d like to be kept updated with the latest in AI in terms of news, apps / tools, reports and all the AI buzz in the business, checkout the AI Tool Report. Bringing you the latest and offering additional courses, groups etc.

Learn AI in 5 Minutes a Day

AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.

Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.

Sign up with 1-Click

50 Curated References as additional Guidance

Below is a sample of 50 curated free references available as further guidance:

1. https://www.csoonline.com/article/2097119/nist-publishes-new-guides-on-ai-risk-for-developers-and-cisos.htmlhttps://www.sans.org/blog/the-ciso-s-guide-to-ai-embracing-innovation-while-mitigating-risk/ 

2. https://www.forbes.com/sites/zscaler/2024/04/15/the-cisos-guide-to-ai-embracing-innovation-while-mitigating-risk/

3. https://www.nist.gov/news-events/news/2024/07/department-commerce-announces-new-guidance-tools-270-days-following

4. https://securiti.ai/blog/cisos-guide-to-tackle-ai-risks-in-enterprises/

5. https://www.whitehouse.gov/briefing-room/statements-releases/2024/07/26/fact-sheet-biden-harris-administration-announces-new-ai-actions-and-receives-additional-major-voluntary-commitment-on-ai/

6. https://cloud.google.com/blog/transform/7-key-questions-cisos-need-to-answer-to-drive-secure-effective-AI

7. https://cloud.google.com/transform/gen-ai-governance-10-tips-to-level-up-your-ai-program

8. https://www.csoonline.com/article/641690/the-challenge-of-balancing-risks-and-benefits-of-ai-for-cisos.html

9. https://www.csoonline.com/article/641690/the-challenge-of-balancing-risks-and-benefits-of-ai-for-cisos.html

10. https://hiddenlayer.com/research/securing-your-ai-a-step-by-step-guide-for-cisos-pt2/

11. https://www.helpnetsecurity.com/2024/07/23/establishing-ai-tools-guardrails/

12. https://www.commerce.gov/news/press-releases/2024/07/department-commerce-announces-new-guidance-tools-270-days-following

13. https://sra.io/blog/strategy/ciso-guidance-for-ai-security/

14. https://www.paloaltonetworks.com/resources/research/idc-ciso-guide-to-ai

15. https://www.issa.org/session/ai-risk-management-strategies-for-cisos-in-the-age-of-innovation/

16. https://www.techradar.com/pro/how-cisos-can-apply-threat-modelling-to-ai-products-in-four-steps

17. https://siliconangle.com/2024/03/24/four-generative-ai-cyber-risks-keep-cisos-night-combat/

18. https://www.trendmicro.com/en_us/research/24/g/write-generative-ai-cybersecurity-policy.html

19. https://www.trendmicro.com/en_us/research/24/g/write-generative-ai-cybersecurity-policy.html

20. https://www.gartner.com/en/newsroom/press-releases/2024-06-03-gartner-identifies-three-areas-for-cisos-to-augment-their-cybersecurity-approach

21. https://www.forbes.com/sites/forbestechcouncil/2024/07/24/a-cisos-guide-to-fortifying-your-cybersecurity-posture/

22. https://www.csoonline.com/article/2123671/the-art-of-saying-no-is-a-powerful-tool-for-the-ciso-in-the-era-of-ai.html

23. https://www.securityinfowatch.com/cybersecurity/press-release/55129012/enterprise-cisos-struggling-to-govern-the-use-of-ai-in-app-development

24. https://www.darkreading.com/cybersecurity-operations/cisos-struggle-csuite-status-expectations-skyrocket

25. https://www.fsisac.com/newsroom/pr-ai-risk-papers

26. https://community.isc2.org/t5/Industry-News/AI-security-for-CISOs-A-dynamic-and-practical-framework/td-p/69621

27. https://www.infosecinstitute.com/resources/management-compliance-auditing/management-guide-for-cisos-responsibilities-strategies-and-best-practices/

28. https://blogs.opentext.com/unlocking-ai-potential-for-cisos-a-framework-for-safe-adoption/

29. https://duo.com/decipher/dhs-releases-ai-security-guidelines-for-critical-infrastructure-sector

30. https://finance.yahoo.com/news/study-finds-95-cisos-flying-130500943.html

31. https://finance.yahoo.com/news/absolute-security-survey-reveals-uk-065500023.html

32. https://www.darkreading.com/vulnerabilities-threats/top-lessons-cisos-owasp-llm-top-10

33. https://finance.yahoo.com/news/absolute-security-survey-reveals-uk-065500023.html

34. https://arxiv.org/abs/2206.08966

35. https://www.gartner.com/en/cybersecurity/products/gartner-for-cisos

36. https://team8.vc/rethink/cyber/a-cisos-guide-generative-ai-and-chatgpt-enterprise-risks/

37. https://www.linkedin.com/posts/safecrq_read-cisos-guide-to-managing-genai-risks-activity-7148367162049560576-TjL_/

38. https://www.prnewswire.com/news-releases/new-study-finds-95-of-cisos-flying-blind-on-ai-model-training-data-302166774.html

39. https://www.prnewswire.com/news-releases/new-study-finds-95-of-cisos-flying-blind-on-ai-model-training-data-302166774.html

40. https://www.csoonline.com/article/2111061/cyber-resilience-a-business-imperative-cisos-must-get-right.html

41. https://www.forbes.com/sites/forbestechcouncil/2024/03/25/ai-advancement-a-double-edged-sword-for-cisos/

42. https://www.forbes.com/sites/forbestechcouncil/2024/03/25/ai-advancement-a-double-edged-sword-for-cisos/

43. https://theresanaiforthat.com/gpt/ciso-ai/

44. https://www.securityweek.com/cyber-insights-2024-a-dire-year-for-cisos/

45. https://www.csoonline.com/article/566757/what-is-a-ciso-responsibilities-and-requirements-for-this-vital-leadership-role.html

46. https://chatgptglobal.news/navigating-ai-security-essential-framework-for-cisos/

47. https://www.infoworld.com/article/2513039/how-evolving-ai-regulations-impact-cybersecurity.html

48. https://deloitte.wsj.com/riskandcompliance/cisos-guide-using-ai-for-cyber-defense-d6e06cfc

49. https://theresanaiforthat.com/gpt/ciso-ai/

List your favourite CISO’s AI reference guide in the comments below.

Do subscribe to ensure that you don’t miss out future posts.

My Recent Most Viewed Posts:

In case you’ve missed - here are some of my recent most viewed social posts.

• Chronicles of Cybersecurity Consulting - Assessment Slips to Discovery - 3rd in series

• Use of AI in Cybersecurity - insights, guidance, news, certain cybersecurity tools and all. To be updated further in future.

• 2 years of Independent Cybersecurity Consulting - Progress, Challenges and lessons learned.

• Poll on Crowdstrike / Microsoft BSOD incident causing widespread disruption to businesses worldwide on 19th July 2024.

• Chronicles of Cybersecurity Consulting - Shortest Consulting Engagement Ever - 2nd in series.

• Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career. Links in comments of the above post.

• Internal Audit and IT & OT Cybersecurity Program - suggested approach for an internal audit team towards building their knowledge / skill base and be able to ask relevant questions towards an IT & OT Cybersecurity / transformation programs activities.

Ways in which I can help?

Whenever you are ready - I can help you / your organizations’ or your customers’, secure digital transformation journey through:

A - IT & OT Cybersecurity Advisory / Consulting services 

• vCISO / fractional CISO or CISO security advisor services, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements.

  (few examples - IT & OT Cybersecurity - Strategy, Program, Execution and Management, for SME manufacturers - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit, 3 step process for evaluating & implementing OT IDS / Anomaly detection / network security monitoring solutions → here; OT Cybersecurity Management System → OT CSMS and Cybersecurity SMB toolkits includes ISO 27001, etc.).

B - IT & OT Cybersecurity Trainings & Education

• General Security Awareness Training & Phishing Awareness Portal for SMBs. Start your cybersecurity journey with a free cyber heath check / questionnaire based review that would help in building a cybersecurity roadmap and security awareness program.

• Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.

• Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.

Reach out at info[at]securingthings[dot].com or DM me via LinkedIn.

My Asks

I invite #SecuringThings community to share their feedback.

Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.

Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.

Thanks for reading - until next edition!

It’s a Great Day to Start Securing Things for a Smart & Safer Society.

Take care and Best Regards,

M. Yousuf Faisal.

Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.