- Securing Things Newsletter
- Posts
- CISOs Guide to AI
CISOs Guide to AI
[Securing Things by M. Yousuf Faisal]
Disclaimer: All views presented here, in this newsletter, are my own.
Author or the newsletter are not liable for any actions taken by any individual or any organization / business / entity. The information provided is for education and awareness purposes only and is not specific to any business and or situation.
Table of Contents
Hi Securing Things Community,
In this newsletter edition, I’ll be sharing 12 steps CISOs guide to start Securing Things for the use of AI within the business, some of my previous guidance that CISO’s may find useful when tackling AI related risks to their business operations. In addition, 50 reference guidance for CISOs, some of my most viewed social media posts (in case you’ve not seen), sponsors message and my asks.
Special Message:
Before we begin, do me a favour and make sure you hit the “Subscribe” button to let me know that you care and keep me motivated to publish more. Thanks!
Note: remember to validate your email address to ensure that you don’t miss any future newsletter editions.
CISO’s Guide to AI
CISO’s needs to be on top of both the business benefits and also the risks that the use of AI within the business operations presents and establish an AI Security and Risk management strategy to address AI related cyber risks.
Here’s a list of 12 high-level steps CISO’s can take, to start addressing AI risks:
Build an AI business inventory of use cases across all business units, including tools / solutions, online services / 3rd party service providers, local LLMs etc. both across IT & OT environments - covering everything from the board room to the plant floor and throughout the 6 layers of automation stack from Cloud to Level 0 devices (sensors etc.).
Review existing and in-progress contracts, EULA agreements for the products / solutions / services using AI technologies.
Assess AI risks to the business - via AI specific reviews - be it against industry best practices standards (AI ISO standard), frameworks and or guidance (NIST AI RMF).
Build an AI Cybersecurity roadmap to address the identified risks via administrative and technical controls.
Define an AI Cybersecurity policy, as part of administrative controls - draft, socialize and enforce AI cybersecurity policy. Checkout my guidance on building blocks of AI Cybersecurity policy and reference guidance.
Ensure Security Awareness Program includes AI related risks - All use and best practices are factored into existing Security Awareness Program and more focused learning for role based trainings for heavy AI users.
Ensure use of Cybersecurity tools and solutions as part of technical controls - that directly mitigates or minimizes the risks identified earlier.
AI SBOM and supply chain related risks are factored into overall cybersecurity or supply chain risk management program.
Ensure strong access control processes are established to approve and allow the use of AI for business.
Ensure, the use of AI is monitored for data leakage and breaches as part of the overall cybersecurity monitoring program.
Ensure, Incident Response (IR) plans includes AI related incident scenarios - AI IR playbooks defined and included as part of table top exercises / drills.
Ensure, to keep tabs on latest industry developments, attacks, threat intel against the list of AI business inventory solutions.
Plus, misc. other steps specific to your business needs… e.g. if you are in developing AI solutions for businesses, security around the development, product/solution and delivery processes.
I’ve also previously shared some insights - check them out on the following:
AI Cybersecurity Policy & Reference Guidance - which covers; AI cybersecurity policy construction (key elements), steps for a policy build execution project and several reference standards, frameworks and guidance documents.
Use of AI in Cybersecurity - Insights, Guidance, News and All - covering market insights, some list of tools and soon to be updated list of cybersecurity tools using AI features, mapped across the 5 domains of NIST CSF v2 framework.
See section Artificial Intelligence (AI), Guidance & Regulations - list of useful AI cybersecurity and risk management resources, standards and guidance available that serves around governing the use of AI.
Comment below to add anything critical that I have missed.
Get Securing Things on your Mobile Now :-)
Visit Securing Things Newsletter website on your mobile browser - and the Install App pop-up will appear
Press Install App, and a pop-up will appear, click Install to download & deploy the app package on your mobile
Back on the browser —> Click Enable to get push notifications on the phone for new published content. On the pop-up click "allow”.
See the Securing Things Icon that appears as an App on your phone.
And that’s’ all.
|
(Sponsored - Non AI cybersecurity)
If you’d like to be kept updated with the latest in AI in terms of news, apps / tools, reports and all the AI buzz in the business, checkout the AI Tool Report. Bringing you the latest and offering additional courses, groups etc.
Learn AI in 5 Minutes a Day
AI Tool Report is one of the fastest-growing and most respected newsletters in the world, with over 550,000 readers from companies like OpenAI, Nvidia, Meta, Microsoft, and more.
Our research team spends hundreds of hours a week summarizing the latest news, and finding you the best opportunities to save time and earn more using AI.
50 Curated References as additional Guidance
Below is a sample of 50 curated free references available as further guidance:
https://www.csoonline.com/article/2097119/nist-publishes-new-guides-on-ai-risk-for-developers-and-cisos.htmlhttps://www.sans.org/blog/the-ciso-s-guide-to-ai-embracing-innovation-while-mitigating-risk/
https://securiti.ai/blog/cisos-guide-to-tackle-ai-risks-in-enterprises/
https://cloud.google.com/transform/gen-ai-governance-10-tips-to-level-up-your-ai-program
https://hiddenlayer.com/research/securing-your-ai-a-step-by-step-guide-for-cisos-pt2/
https://www.helpnetsecurity.com/2024/07/23/establishing-ai-tools-guardrails/
https://www.paloaltonetworks.com/resources/research/idc-ciso-guide-to-ai
https://www.issa.org/session/ai-risk-management-strategies-for-cisos-in-the-age-of-innovation/
https://www.techradar.com/pro/how-cisos-can-apply-threat-modelling-to-ai-products-in-four-steps
https://siliconangle.com/2024/03/24/four-generative-ai-cyber-risks-keep-cisos-night-combat/
https://www.trendmicro.com/en_us/research/24/g/write-generative-ai-cybersecurity-policy.html
https://www.trendmicro.com/en_us/research/24/g/write-generative-ai-cybersecurity-policy.html
https://blogs.opentext.com/unlocking-ai-potential-for-cisos-a-framework-for-safe-adoption/
https://duo.com/decipher/dhs-releases-ai-security-guidelines-for-critical-infrastructure-sector
https://finance.yahoo.com/news/study-finds-95-cisos-flying-130500943.html
https://finance.yahoo.com/news/absolute-security-survey-reveals-uk-065500023.html
https://www.darkreading.com/vulnerabilities-threats/top-lessons-cisos-owasp-llm-top-10
https://finance.yahoo.com/news/absolute-security-survey-reveals-uk-065500023.html
https://www.gartner.com/en/cybersecurity/products/gartner-for-cisos
https://team8.vc/rethink/cyber/a-cisos-guide-generative-ai-and-chatgpt-enterprise-risks/
https://www.securityweek.com/cyber-insights-2024-a-dire-year-for-cisos/
https://chatgptglobal.news/navigating-ai-security-essential-framework-for-cisos/
https://www.infoworld.com/article/2513039/how-evolving-ai-regulations-impact-cybersecurity.html
https://deloitte.wsj.com/riskandcompliance/cisos-guide-using-ai-for-cyber-defense-d6e06cfc
List your favourite CISO’s AI reference guide in the comments below.
Do subscribe to ensure that you don’t miss out future posts.
My Recent Most Viewed Posts:
In case you’ve missed - here are some of my recent most viewed social posts.
Chronicles of Cybersecurity Consulting - Assessment Slips to Discovery - 3rd in series
Use of AI in Cybersecurity - insights, guidance, news, certain cybersecurity tools and all. To be updated further in future.
2 years of Independent Cybersecurity Consulting - Progress, Challenges and lessons learned.
Poll on Crowdstrike / Microsoft BSOD incident causing widespread disruption to businesses worldwide on 19th July 2024.
Chronicles of Cybersecurity Consulting - Shortest Consulting Engagement Ever - 2nd in series.
Getting started in IT & OT Cybersecurity - a blueprint / framework to 2x / 5x / 10x your cybersecurity career. Links in comments of the above post.
Internal Audit and IT & OT Cybersecurity Program - suggested approach for an internal audit team towards building their knowledge / skill base and be able to ask relevant questions towards an IT & OT Cybersecurity / transformation programs activities.
Ways in which I can help?
Whenever you are ready - I can help you / your organizations’ or your customers’, secure digital transformation journey through:
vCISO / fractional CISO or CISO security advisor services, GRC, Assessments / Reviews / Gap Analysis, Advisory, Strategy, Security / AI Policy or standards development, ISO 27001, PCI DSS and other frameworks, architectural reviews, configuration hardening for IT & OT cybersecurity engagements.
(few examples - IT & OT Cybersecurity - Strategy, Program, Execution and Management, for SME manufacturers - OT Cybersecurity Best Practices Requirements Specification OTCBPRS Toolkit, 3 step process for evaluating & implementing OT IDS / Anomaly detection / network security monitoring solutions → here; OT Cybersecurity Management System → OT CSMS and Cybersecurity SMB toolkits includes ISO 27001, etc.).
B - IT & OT Cybersecurity Trainings & Education
General Security Awareness Training & Phishing Awareness Portal for SMBs. Start your cybersecurity journey with a free cyber heath check / questionnaire based review that would help in building a cybersecurity roadmap and security awareness program.
Securing Things Academy (STA) - Training, Coaching and digital downloads for IT & OT Practitioners - pre-launch coming soon.
Securing Things Newsletter - providing insights and educational content on IT / OT / IOT / IIOT cyber-physical and AI security.
Reach out at info[at]securingthings[dot].com or DM me via LinkedIn.
My Asks
I invite #SecuringThings community to share their feedback.
Your feedback and input is invaluable to me as we work together to strengthen our cybersecurity defenses and create a safer and smarter digital society. Thank you for your trust and continued support.
Do register, validate your email, and request login link to submit poll to be able to enter a chance to win a future course giveaway.
Thanks for reading - until next edition!
It’s a Great Day to Start Securing Things for a Smart & Safer Society.
Take care and Best Regards,
M. Yousuf Faisal.
Follow: #securingthings on LinkedIn | @securingthings on X/Twitter & YouTube.
The Newsletter Platform Built for Growth
When starting a newsletter, there are plenty of choices. But there’s only one publishing tool built to help you grow your publications as quickly and sustainably as possible.
Beehiiv was founded by some of the earliest employees of the Morning Brew, and they know what it takes to grow a newsletter from zero to millions.
The all-in-one publishing suite comes with built-in growth tools, customization, and best-in-class analytics that actually move the needle - all in an easy-to-use interface.
Not to mention—responsive audience polls, a custom referral program, SEO-optimized webpage’s, and so much more.
If you’ve considered starting a newsletter, there’s no better place to get started and no better time than now.
Reply