Introduction

With artificial intelligence (AI) use growing in the enterprise, Chief Information Security Officers play a critical role in its implementation and adoption. CISOs need to prepare for the risks associated with AI content creation as well as AI-assisted security threats from attackers. By following some key best practices, we’ll be better prepared to safely welcome our new robot overlords into the enterprise!

AI is Growing Fast

Artificial intelligence isn’t a brand-new development; for example, AI and machine learning (ML) already drive many of our solutions here at F5. However, the popularity of ChatGPT sparked massive interest in the potential of generative AI and many businesses are deploying it across the enterprise. AI technology is now in the wild—and it’s moving faster than any other technology I’ve seen.

There are several compelling use cases for generative AI in the enterprise:

• Content Creation: Tools such as ChatGPT can assist content creators in generating ideas, outlines, and drafts—potentially saving individuals and teams significant time and effort.
• Learning and Education: Properly trained AI tools can be used to quickly understand new and complex subjects by summarizing large amounts of information, answering questions, and explaining complicated concepts in simple language.
• Coding Support: Tools like GitHub Copilot and OpenAI’s API Service can help devs write code more efficiently and identify errors for queries.
• Product and Operations Support: Tools can be used to more efficiently prepare common reports and notices, such as bug resolutions.

Issues and Challenges

However, there are challenges to overcome. One is the question of whether using AI at all will run afoul of laws and regulations in international markets. Earlier this year OpenAI temporarily blocked the use of ChatGPT in Italy after the Italian Data Protection Authority accused it of unlawfully collecting user data. German regulators are looking at whether ChatGPT adheres to the European General Data Protection Regulation (GDPR). In May, the European Parliament took a step closer to issuing the first rules on use of Artificial Intelligence.

Another challenge are the issues around data collection and the accidental disclosure of personal or proprietary information. Companies need to secure their confidential information against, and ensure they aren’t plagiarizing from, other companies and individuals who are using the same tools they are. We’ve already seen reports of intellectual property being entered into public generative AI systems, which could impact a company’s ability to defend its patents. One AI-powered transcription and note-taking service makes copies of any materials that are presented in Zoom calls that it monitors.

The third major challenge is the threat of enhanced cyberattacks. AI-powered cyberattack software could try many possible approaches, learn from how we respond to each, and quickly adjust its tactics to devise an optimal strategy—all at a speed much faster than any human attacker. We have seen new sophisticated phishing attacks that are utilizing AI, including impersonating individuals both in writing and in speech. An AI tool called PassGAN, short for Password Generative Adversarial Network, has been found to crack passwords faster and more efficiently than traditional methods.

CISOs and AI

As CISOs, our job isn’t to say no to new technology. We ask questions, and we provide guidance to help leaders create an organizational strategy. A good AI strategy provides guidelines for use and takes into account legal, ethical, and operational considerations.

When used responsibly and with proper governance frameworks in place, generative AI can provide businesses with many advantages ranging from automated processes to optimization solutions. Let’s look at some things you need to think about, and what actions you might need to take, based on generative AI’s risk posture.