IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

As AI Gains Ground, Security Leaders Need to Embrace Saying Yes

Cybersecurity chiefs are often viewed as inhibitors of innovation who are likely to veto new ideas in the interest of keeping systems safe. But as agencies increasingly lean on AI, CISOs must find a way to get to "yes."

leadership
(Shutterstock)
Back in 1981, the ground-breaking book Getting to Yes: Negotiating Agreement Without Giving In was released by authors Roger Fisher and William Ury.

Getting to Yes teaches readers how to emphasize principled negotiation by focusing on interests rather than positions. It suggests separating people from problems, maintaining open communication and generating options for mutual gain. The book advocates for creating win-win solutions through collaboration and understanding the underlying needs of both parties, ultimately aiming for agreements that satisfy everyone involved while preserving relationships. Readers also learn how to negotiate successfully with people who are more powerful, refuse to play by the rules or even resort to “dirty tricks.”

For over four decades, lawyers, accountants and a wide array of other business leaders have been implementing these best practices on negotiation in both their personal and professional lives.

Meanwhile, within the discipline of cybersecurity governance, there has been a tendency to put products, systems and processes in more “win-lose” categories. For example, a product is either secure or it is not.

The same all-or-nothing labels can often be applied to systems that include people, processes and technology. Are they PCI-certified? Does a product have FedRAMP or StateRAMP certification? At what level are they approved to operate?

While these security policies and compliance standards are vitally important, CISOs and other security leaders are generally seen as inhibitors of innovation. The conventional wisdom in many public- and private-sector enterprises is that you should avoid bringing in cybersecurity teams on projects because they will just veto whatever you want to do to help the business.

For example, security leaders are often stereotyped as saying, “The answer is no. Now what was the question?” Or business leaders may say, “Just don’t invite the cyber team to the digital transformation meetings.”

Or, in the case of the staff using generative AI tool sets like a personal ChatGPT or Gemini account, they deem it better to ask for forgiveness rather than for permission from leadership.

So as more employees BYOAI (bring your own AI) and as other new GenAI tools are formally sanctioned by governments, security leaders must be at the forefront of enabling the transition. We must lead by example and offer solutions to tough security challenges using the best-practice negotiations identified in Getting to Yes or be left behind as this GenAI boat gets further from the dock.

How can this be done?

In a talk at the 2024 RSA Conference entitled “Securing AI: What We’ve Learned and What Comes Next,” Vasu Jakkal, corporate vice president of Microsoft Security, said that “the pace of AI adoption is far surpassing other technologies.” But at the same time, “We live in the most complex threat landscape in history.”

Jakkal offers this high-level approach to securing AI:
  • Acknowledge that GenAI must be protected comprehensively, including security, privacy, fairness, inclusion, quality and reliability. Defenders are at the heart of gaining trust in AI.
  • Organizations must have a generative AI framework to discover, protect and govern. Ask:
    • What GenAI apps are being used, and by whom and how often?
    • Map risks and threats to GenAI app development and usage.
    • Mitigate risks with appropriate guardrails.
    • Use a risk-based approach to AI governance, with appropriate policy and regulatory violation assessments, content safety filters, and user education.

We’ve of course seen similar stories play out before. Experienced CISOs have struggled with integrating new technologies ranging from cloud computing to bring your own device to Internet of Things devices on office networks to working from home during the pandemic.

Going further back, I was called a “disabling CISO” two decades ago and almost lost my job when I opposed putting Wi-Fi access in Michigan state government conference rooms for security reasons. Thankfully, I was given a second chance and learned to become a business enabler and that getting to (a secure) “yes” was essential for innovation and my career.

So will you help to securely enable GenAI — or miss this boat?

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.