In this episode of the SecurityANGLE, we set out to establish a CISO’s Guide to Enterprise Gen AI Adoption. I’m joined by Matt Radolec, VP of Incident Response at Varonis, for a conversation about balancing innovation and risk which is top-of-mind for CISOs today as they work to manage the rapid proliferation of generative AI tools in enterprise environments with the need to manage unprecedented security risks. Matt joined me for this episode of the SecurityANGLE to discuss some of the critical security concerns that CISOs must address and shared thoughts on how CISOs can most effectively walk this tightrope.
CISO’s Guide to Enterprise Gen AI Adoption: Balancing Innovation and Risk – watch the full conversation with Varonis’s Matt Radolec here:
Insights from Varonis’ Data-First Forum Event
Matt and the team at Varonis recently hosted one of their Data-First Forum events: Back to School, CISO Lessons on Gen AI, featuring CISOs from all over the world sharing lessons and insights on all things generative AI. During that event, it was shared that while 67% of organizations are increasing their investments in generative AI, only 20% of organizations feel they are prepared for the risk that comes along with gen AI.
One of the discussion points during the event was some basic fundamentals about Gen AI that people need to understand and highlighted several critical security concerns that CISOs must address. First is the non-deterministic nature of gen AI outputs – identical prompts can yield different responses, making output validation crucial. More concerning is the “pass-through permissions” model employed by platforms like Microsoft’s Copilot and Salesforce’s Einstein, where AI assistants inherit user access rights but possess superior capabilities to locate and access data compared to human users.
Understanding the Core Security Challenges Posed by Gen AI
Another core component of the CISO’s guide to enterprise gen AI adoption extends beyond the challenge of the non-deterministic nature of gen AI outputs and the need for validation, CISOs are also navigating is the “black hole” problem of data ingestion. Organizations struggle to track what information has been fed into these models, and the mere act of querying can lead to unintended data exposure. This creates a significant risk management challenge, as uploaded data cannot typically be “unlearned” without completely resetting the system.
CISOs are asking questions like: is pushing for this a priority, is turning this on a good thing, is blocking this important and measuring them against the biggest question of all: is there a business reward here in line with the business risk posed by this action, for example, a data breach.
What CISOs are dealing with in these instances is the challenge of helping to balance the potential productivity gains that come from using these tools with the security concerns involved. They worry about having the ability to lock down their data quickly and/or in a controlled fashion and help fuel productivity and innovation within the organization but in a way they can feel confident is secure. This is what is on the mind of most CISOs today: balancing the potential productivity gains with security concerns, and a desire to learn how to be an enabler of these GenAI initiatives rather than a blocker.
CISO’s Guide to Enterprise Gen AI Adoption: Success Comes from Identifying Value-Driven Implementation Strategies
A core tenet of the CISO’s guide to enterprise gen AI adoption is lasering in on and identifying value-driven implementation strategies. Despite some of the challenges CISOs are navigating, organizations are finding valuable use cases across various sectors.
The financial technology sector is leveraging gen AI for rapid data analysis and market insights, marketers and knowledge workers are using gen AI for research, content creation, proposal development, and myriad other use cases, while HR teams are using it to streamline the recruiting process as well as to help make the employee experience more seamless. Even seemingly simple applications, like AI-powered meeting transcription, are delivering meaningful productivity gains and seeing rapid adoption raters.
There are many opportunities to utilize generative AI to deliver bottom-line business results, but it’s important to do the homework here and not get carried away and bite off too much at once. The path to success is to be strategic and pragmatic, evaluating opportunities and ultimately focusing on use cases that can deliver definitive results. Here are some thoughts on how you can do that.
Best Practices for Secure GenAI Deployment
Based on Radolec’s insights, we mapped out the basics of our CISO’s guide to gen AI adoption. and a quick roadmap for organizations to consider for secure GenAI implementation:
Do your Assessments First. Evaluate the “blast radius” by analyzing employee data access patterns and permissions before deployment. This helps prevent unauthorized data exposure through AI systems.
Dual Track Testing. CISOs should implement both security-focused testing (searching for potential data leaks) and productivity-focused testing (identifying valuable use cases and best practices).
Access Control. Create secure enclaves for sensitive data using labeling, access controls, and zero-trust principles to prevent unauthorized AI ingestion.
Prompt Monitoring. Actively monitor AI interactions to identify both successful use patterns and potential abuse, such as attempts to access sensitive information like passwords or salary data.
User Education. Invest in prompt engineering training and create user groups to share best practices and innovations across teams.
Building an Adoption Strategy
Success in gen AI implementation requires more than just technical controls and hopefully this CISO’s guide to enterprise gen AI adoption has provided some food for thought. Organizations should identify and empower internal champions who can demonstrate responsible use cases and drive adoption. This approach, combined with careful monitoring and governance, can help organizations balance the productivity benefits of GenAI with necessary security controls.
The key takeaway is clear: while gen AI presents significant security challenges, organizations can safely harness its benefits through careful planning, robust security controls, and active governance. The focus should be on starting small, protecting sensitive data first, and gradually expanding use cases as security measures prove effective.
If you’ve not yet subscribed to the SecurityANGLE on YouTube, slide up there and hit that button so that you won’t miss an episode. Otherwise, we’ll see you back here next time.
See more of my coverage here:
AWS’s Build on Trainium Investment Shows Strategic Focus on Academic AI Development
Autonomous AI Agents: Microsoft’s Bold Vision, an AI OS for Enterprises
