Why I think CISOs are New Zealand’s Avengers

As GenAI emerges as a force for both good and evil, it’s time for CISOs to step into the spotlight and become the heroes of New Zealand businesses.

GenAI is a superpower

In a country renowned for its innovation and agility, New Zealand businesses are applying their “give it a go” attitude to generative AI (GenAI). These tools are highly alluring and readily available. Up for grabs are incredible opportunities to drive innovation and enhance productivity. And it’s easy for people to sign up and start using the multiple tools on the market.

But by going out on their own, without expert assistance, excited business teams are unwittingly putting themselves and the entire organisation at risk.

Letting business silos experiment with GenAI without robust cybersecurity guardrails can expose companies to significant threats, including data and privacy breaches, and sophisticated cyberattacks. GenAI systems often require access to vast amounts of sensitive data to function effectively, making them attractive targets for cybercriminals. Plus, the complexity and opacity of AI algorithms can create vulnerabilities that are difficult to detect and mitigate.

Adversaries are already targeting vulnerabilities in AI systems. Security researchers have used prompt injection – engineering prompts to deceive systems into bypassing filters or guardrails – to attack conversational bots and infiltrate systems.

Also, GenAI is helping attackers to become more efficient, more effective and giving them the ability to inflict more damage. In an increasingly hostile cybersecurity environment, the last thing companies need is for well-meaning employees tinkering with GenAI to accidentally expose organisations to risk.

CISOs are the guardians of responsible GenAI use

The answer is not for CISOs to shut down GenAI experimentation. Quite the opposite. As the EY 2024 Global Cybersecurity Leadership Insights Study suggests, CISOs must lead the business to confidently deploy AI, helping teams maximise the value creation potential from the AI tools they look to implement.

The study offers actions for CISOs to consider as they move into what will inevitably be a far more visible leadership role:

·       Embed cyber professionals into the AI use case identification and intake and governance process – This early-stage insertion will allow for cyber integration commensurate with the sensitivity of the data and business function.

 ·       Publish and govern AI acceptable use standards across the business – Outline the guardrails and guidance under which the business and supporting technologists should design and build AI solutions.

 ·       Establish AI principles and guardrails to support experimentation – As businesses rapidly experiment and adopt AI, it is essential for CISOs to move quickly to protect and accelerate the rate of innovation.

 ·       Help the business get use cases to market faster – Make ‘secure by design’ the fastest route to market. Develop a pre-configured and pre-sanctioned set of architectures, integration patterns, and technology stack components to support business use cases.

 ·       Target cyber enablement – Use a practical AI security and risk framework to aid in getting “yes” for the business while remaining within risk tolerances.

As a starting point, there should never be a GenAI conversation without cybersecurity at the table. When it comes to GenAI, cybersecurity has to be embedded at the outset.

When CISOs are there from the get-go, the perception of cybersecurity shifts from a team that comes in at the end and says ‘no’, to the leaders enabling and accelerating the pace of (responsible) GenAI adoption.

CISOs are banding together behind the scenes

For the last few years, the nation’s CISOs have been meeting regularly – via EY-organised CISO communities and many other forums – to share ideas and learnings about how best to defend their organisations from cyber threats.

In a small market, with everyone facing the same issues and challenges, CISOs are collaborating to assess the biggest threats and possible solutions. Those who’ve experienced attacks regularly share their knowledge and learnings. Now, the conversation has shifted to how to get the best out of GenAI while protecting against its many risks.

Being a CISO is no walk in the park. They are the guardians of business, employees and customers, shielding them from cyber threats. Often unsung heroes until disaster strikes – when an organisation is under attack. I envision our New Zealand CISOs as the fearless champions in our next spic saga – the Avengers assembling to thwart the existential peril of GenAI-fuelled cyber onslaught and safeguard the New Zealand economy.

Historically, CISOs have not been good at engaging the business and showing people the value of the cybersecurity function. But if ever there was a time when CISO’s had the chance to claim their Avengers badge of honour – it’s now!

The views reflected in this article are the views of the author and do not necessarily reflect the views of the global EY organization or its member firms.