GenAI Impacts That CISOs Should Consider | Deloitte US

Posted on Author AIJobNexus

This post was originally published on this site.

Authored by Tara Mahoutchian and Mehdi Houdaigui

Preparing your Generative AI and cybersecurity

Generative Artificial Intelligence (GenAI) is constantly evolving and provides compelling use cases for business today. Leaders should prepare their cybersecurity workforce to face the challenges from the introduction of GenAI to the enterprise and the cybersecurity functionā€™s own processes. Building a skills-based organization (SBO)1 where cybersecurity leaders prioritize building the right skills can help address the challenges GenAI poses. CISOs (chief information security officers) of leading cyber SBOs focus on five skill themes anchored on how GenAI can enhance securityā€™s ability to work faster and better: automate, augment, extend, create, and endure.

To enable GenAI for the cybersecurity workforce, CISOs and cybersecurity leaders should understand how GenAI can automate manual work. GenAI also provides direct support to augment humans by improving productivity and workforce experience. Furthermore, GenAI can extend human capabilitiesā€”performing activities that humans are unable to perform or scale due to the negative relationship between work effort and return on investment. GenAI also helps humans createā€”enabling the development of new skills. Finally, cybersecurity leaders should be aware of certain human capabilities and skills that will endure regardless of the shifting technology.

Automate

GenAI will usher in a significant operational transformation enabling humans to work smarter.2 GenAI tools are revolutionizing cybersecurity teams operations through automation. These are the initial considerations for a security leader:

  • Current roles and requirements, especially in governance, risk, and compliance (GRC), will likely shift as security removes manual and time-consuming processes and activities.
  • Risk management teams will seek to support safe and compliant automated risk assessments.
  • Governance, risk, and compliance teams will automate compliance reviews and policy orchestration to improve mapping of current policies, standards, and procedures against standard industry and regulatory frameworks.
  • Compliance officers will develop trainings for internal compliance policies.
  • Vulnerability management teams will automate testing and automatically develop supporting control documentation based on test results.
  • Incident response teams can triage alerts, correlate events, and guide incident handlers through GenAI capabilities.

As cybersecurity leaders further explore how automation with GenAI can unlock more efficiencies, they should help ensure that the workforce skills measure up to emerging technologies.

Augment

Cyber professionals can produce efficient and reliable results using GenAIā€”augmenting practitionersā€™ ability and freeing up capacity to address more pressing issues. Security leaders can better position their workforce to take advantage as follows:

  • Security talent will likely need to understand use cases and applications of conversational AI to better provide security for the data stored, accessed, and archived by applications leveraging chatbots.
  • Practitioners can anticipate to analyze, process, and manage data through GenAI.
  • The security workforce should understand effectiveness of prompt inputs and engineering using GenAI.

Extend

Many professionals are being asked to deliver on high-priority, operational activities and lack time to focus on strategic asks. GenAI can extend human capabilitiesā€”giving leaders and practitioners the ability to dedicate more time to strategic priorities as follows:

  • Security leaders should understand machine learning (ML), language learning models3 (LLM), natural language processing (NLP), and prompt engineering as these will likely become standard capabilities.
  • Quicker risk scoring, better risk prioritization, and more preventive measures may occur through integration of GenAI into existing processes.
  • Third-party risk review processes, such as analyzing data in vendor-submitted and external documentation, can become easier with GenAI.
  • Threat correlation and detection processes can be enhanced by GenAI.
  • GenAI-enabled phishing detection can help improve the ability to detect threats and/or phishing attempts created by LLMs.

Create

GenAI can enable humans to design, build, test, deploy, monitor, and maintain work faster. Cybersecurity leaders can enable their workforce to create new content by contemplating the following:

  • Risk reporting and executive briefing materials can be created quickly and with actionable and precise threat intelligence.
  • Incident response teams can develop detailed playbooks to guide security analysts during remediation and recovery activities.
  • Cyber communications teams can use GenAIā€™s capabilities for graphic design and presentation accelerators.
  • Code generated from software developers can incorporate security requirements as GenAI recommends amendments before testing.
  • Widespread security and awareness training on Generative AI safety, ethics and compliance, bias detection and mitigation, AI governance and security controls, and AI privacy limitations can be developed, delivered, and tracked for compliance, privacy, and ethics surrounding GenAI usage.

Endure

GenAI cannot replicate certain people skills. GenAI tools can produce misleading information and include a tendency to ā€œhallucinate.ā€ As a result, human capabilities will endure given that GenAI cannot reproduce certain skills inherent to humans, especially when making decisions that require nuanced judgment, ethical considerations, and creative problem-solving. Cybersecurity leaders can do the following to promote enduring human capabilities:

  • Cybersecurity leaders must cultivate emotional intelligence to support the workforce effectively.
  • Leaders should be prepared to interpret GenAI intelligence for effective decision-making.
  • Security workforce can prioritize the use of empathy to support business customers.
  • Leaders should promote critical thinking skills to avoid potentially harmful use of GenAI.
  • Development of interpersonal skills, such as active listening and flexibility, among security practitioners will serve the business that expects to use GenAI more.

GenAI fails to share the human experience that understands the needs and concerns of stakeholders. Reinforcing these skills will help create synergies between GenAI and humans vital for an effective cybersecurity workforce.

Considerations for next steps

There are four potential next steps to prepare the cybersecurity workforce for GenAI use:

  1. Assess current workforceā€™s GenAI readiness: For security organizations, it is important to inventory the skills and readiness for GenAI. New GenAI tooling on platforms can quickly assess work trends, identify gaps, and even recommend training. Regardless of the method, leading cyber organizations use recognized frameworks (NIST 2.0) and common taxonomies (HITRUST) as a foundation for skills assessments. Industry partners can also share insights on the latest skills required for GenAI.4
  2. Adjust formal training programs: Adding modules or virtual trainings focusing on GenAI as a training requirement will help create a baseline across the cyber workforce. Deloitte has leveraged relationships with universities and private institutions to bring formal, tailored GenAI training curricula for practitioners through the Deloitte AI Academy.5 Furthermore, security awareness and training programs can benefit the larger organization with GenAIā€™s ability to create human-centric cybersecurity learnings that improve learnersā€™ experience.
  3. Encourage informal connections for knowledge sharing: As GenAI expertise grows, those who show prowess in Generative AI and cybersecurity can support others who are not so comfortable. Cybersecurity leaders can also promote organic mentoring opportunities (for example, job shadowing, mentorship programs) for on-the-job training.
  4. Update jobs and roles to incorporate GenAI expectations: While GenAI use is still nascent, jobs and roles required to support successful GenAI adoption, such as AI compliance managers and AI security engineers, will likely be needed. Current jobs may rely more heavily on automation and AI to achieve faster outcomes. As these roles evolve to incorporate GenAI use, it is important to keep the job descriptions updated to ensure the right talent is brought in for your organizationā€™s Generative AI and cybersecurity needs.Ā 

For more information on any of the above, please donā€™t hesitate to reach out to our Human Capital Cyber team.

Authors:

Contributors:

Endnotes:

1 Michael Griffiths, ā€œThe skills-based organization: Fueling the 21st century enterprise with skills,ā€ Deloitteā€™s Capital H Blog, September 14, 2021.
2 Jeremy Dā€™Hoinne, Avivah Litan, and Peter Firstbrook, ā€œ4 ways Generative AI will impact CISOs and their teams,ā€ Gartner, June 29, 2023.
3 Manshreya Grover and Mike Kemp, ā€œThe human touch: The ā€˜invisibleā€™ force behind data-driven decision-making,ā€ Deloitte, October 26, 2023.
4 Michael Griffiths and Ina Gantcheva, ā€œSkills taxonomies, ontologies, graphs and clouds power SBOs,ā€ Deloitte, March 2, 2022.
5 Deloitte, ā€œDeloitte AI Academyā„¢ builds tailored Generative AI curriculum in collaboration with renowned universities and technology institutions for Deloitte professionals and clients,ā€ press release, August 24, 2023.