New research from Trellix, in partnership with the Center for Strategic and International Studies (CSIS), reveals that 92 percent of chief information security officers (CISOs) question the future of their role amidst growing AI and generative AI (GenAI) pressures.
CSIS hosted a conversation today to discuss the research report, which features survey responses from 500 security executives in North America on how AI and GenAI are affecting the role of the CISO.
“One of the biggest challenges we face is that the role of the CISO can be redefined over a 24-hour period,” said Harold Rivas, the CISO at Trellix.
For example, he said a completely new threat actor or novel technique can emerge that can “change fundamentally” an organization’s cybersecurity posture, investments, and strategy.
“Those things are creating stressors,” Rivas said. “That was true before GenAI, now we’ve added a massive accelerator – something that’s giving this disproportionate capability to the attacker that allows them to innovate very rapidly to try new techniques. Ultimately, we’re in a game where we lose if they score one time. That’s a very challenging proposition for CISOs everywhere.”
Grant Schneider, the former Federal CISO and current senior director of cybersecurity services at Venable, added that AI makes it difficult for a CISO to stick to a plan.
He explained that most CISOs are “probably aware of the vast majority of the vulnerabilities and the risks in their environment,” and they develop a project plan to address those vulnerabilities. Typically, he said CISOs would prioritize them based on the “likelihood of being exploited and impact if they are exploited.”
For instance, if something is more difficult for an adversary to exploit, the CISO would place that vulnerability “lower on the list” and not worry about it as much.
“AI brings the adversaries an ability to find all of the vulnerabilities really, really quickly,” Schneider said. “So, now if I’m a CISO, I’m really stressed over my 12 or 18-month project plan to work off these 20 items, or whatever it is, because I know any one of them could bite me at any moment. Whereas maybe a couple of years ago, I felt like the odds of someone finding that really unique vulnerability and being able to exploit it were pretty low.”
“I think anyone that has vulnerabilities that they haven’t gotten to, the more of them that you have, the more risk you’re going to be facing and at a higher level than you were before,” he said.
According to the report, 90 percent of CISOs feel they are exposed to increased liability as a result of AI and GenAI. Additionally, 87 percent of CISOs regularly work outside of their contracted hours.
As a result, CISOs are looking to policymakers for guidance. Ninety-two percent of CISOs say using GenAI without clear regulations would put their organization at risk, with nearly all (99.8 percent) agreeing greater levels of regulation are required in the next 6 months; particularly surrounding data privacy and protection (55 percent).
