Risk Management for CISOs: Balancing Security and Business Innovation

Chief information security officers (CISOs) have always had the not-so-easy task of securing information without stifling innovation. The difference now is they have AI to deal with, making this central tenet of their role even more essential to the survival of their companies. 

AI presents unique challenges in the form of data management, data sprawl, data protection, and data drift. As AI and machine learning models grow in complexity, so too do the systems that support their training and implementation, leading to increased risk and costs. 

A recent Pure Storage survey found that 88% of IT leaders would prefer to spend their budgets on innovation rather than cybersecurity threats, and 98% feel their organization’s infrastructure needs improvement to support risk and innovation initiatives. 

Most CISOs already know that balancing security and innovation is much easier said than done. Many feel they’re in a constant game of cat and mouse or catch-up: As soon as they secure something, a new threat arises, and the game continues. 

“I don’t feel I have the luxury at the moment to discriminate between different threats. They’re all kind of out there, and any of them can hit us at any point in time.” – Perfecting Cyber Resilience: The CISO Blueprint for Success

To truly foster innovation while securing information, CISOs need to both fully understand the current risk landscape and take proactive measures to get ahead of the next challenge. Let’s look at what they can do to achieve this. 

Understanding the Current Risk Landscape

Eighty-six percent of surveyed IT leaders place the reduction of their organization’s risk profile as their first priority. But before these IT leaders can start to take measures to eliminate these risks, they have to fully understand them. 

What are the risks?

1. AI

AI is everywhere, and so are its risks. The OWASP AI/ML Top 10 identifies the biggest risks associated with AI systems, including:

• Model inversion: When cybercriminals take sensitive information from the AI model itself.
• Privacy violations: Intentional or unintentional misuse of personal data used to train the AI models. 
• Data poisoning: When bad actors introduce manipulated data to sway an AI model’s output.

And let’s not forget about AI’s “black box issue,” when a system hides its inner workings and reasoning from its users. Although explainable AI will certainly help with this, AI explainability is still far from being a system-wide standard. 

2. IoT

The proliferation of “connected” devices has added a whole new dimension to enterprise risk management for CISOs. IoT devices tend not to be patched and are often left out of asset management tools, requiring CISOs to get very specific about mitigating IoT risk. 

“We have solutions in the internet of things (IoT) fields and we manufacture an IoT device. A concern is about IoT vulnerabilities, because, as you know, with those devices, it is not always possible to manage a control as you do with IT assets in terms of patching, upgrading network security, etc. And so we are thinking about and implementing some specific techniques for mitigating risks.” – Perfecting Cyber Resilience: The CISO Blueprint for Success

3. The Cloud

Ensuring safe cloud migration and operations is a key priority for CISOs. The cloud comes with its own set of risks, including rising costs, lack of visibility, insecure APIs, and the potential for data loss or leaks. Unmanaged attack surfaces are often the culprit of major cloud issues, but human error and misconfiguration are also very common. 

Other cloud security issues include compliance and identity access management (IAM). Compliance can be a tricky issue to navigate because compliance is a point in time, but CISOs are responsible for staying on top of holes that constantly arise and need fixing. Compliance reports go to clients, investors, and boards and paint a picture that all is secure and buttoned up. 

“A struggle is justifying more funds for more robust protection when compliance reports would suggest everything is under control, when in reality, it’s a job that’s never over.” –Perfecting Cyber Resilience: The CISO Blueprint for Success

IAM has also become a major issue as traditional security tools like firewalls often fail to address modern network perimeter or identities (both human and non-human), forcing CISOs and their teams to use process-focused solutions like privileged access management and tools like multi-factor identification. 

3. Operational Risks

The growth of AI’s complexity has only increased the amount of data AI uses and the amount of risk companies face with operational and infrastructural things, such as legacy systems. Think of a car that can no longer fit its engine—it would simply stop working. Likewise, once your data deluge overpowers or outgrows your systems, they will stop working and so will your applications. 

More than 8 in 10 IT leaders believe AI-generated data is likely to outgrow their organization’s current data centers. –“The Innovation Race” 

Legacy systems were designed pre-AI, making them the perfect target for attackers. Patching and updating these systems is usually a logistical nightmare. 

There’s also the issue of data drift, when the structure, semantics, or infrastructure of data changes unexpectedly and without documentation. This happens often in modern data architectures and can corrupt data and break processes.

Being Proactive about Addressing Risks to Foster Innovation 

There’s a lot CISOs can do to be proactive about addressing the modern-day risk landscape, including:

1. Creating a Culture of Transparency and Awareness

Remember, “If you see something, say something”? CISOs would do well to implement and enforce the same kind of mindset within their organizations. 

Security is a team effort requiring the participation of everyone in the organization, from the executive team to the engineers on the ground. It’s essential to cultivate a culture of security awareness where each person understands the risks associated with AI in operational technology and actively works to mitigate them.

A key element of this is demanding transparency from AI developers and vendors and doing whatever you, the CISO, can do to understand how the AI systems they’re designing work and the rationale behind their decisions to help prevent things like decision bias. 

Let your engineers and developers know the power they wield in allowing something bad to happen. They should be thinking, “How am I a vector?” and think of every little action and what it could lead to.

“Engineers with a higher level of access should be brought to the table and make them part of the plan. No backdoors, no workarounds… learn from their processes and implement security controls for those processes. But low-level access (e.g., marketing) can still compromise systems.” – Perfecting Cyber Resilience: The CISO Blueprint for Success

And training, of course, is key. 

“Make training less of a burden, more relevant to job roles, and something they aren’t skipping past. Training is only effective to address ignorance.” – Perfecting Cyber Resilience: The CISO Blueprint for Success

2. Implementing Continuous Learning and Adaptation

Your security strategy should evolve with AI. CISOs should stay up to date on the latest threats and vulnerabilities, attend industry conferences, participate in training programs, and always be learning from the experiences of others. 

They should also support research into robust security solutions for AI, contribute to industry initiatives, and collaborate with academic institutions to accelerate the development of effective safeguards.

Continuous threat monitoring is an important part of all this. CISOs need to regularly assess their AI systems for vulnerabilities and adapt their security measures as the threat landscape evolves. They should be extremely engaged with their developers as they train and test new AI models. 

Finally, the plan should itself include a plan for the “human element.” 

This is the heat of battle. You can practice all you want, but rehearsals won’t change what happens in the moment. From an incident response perspective, it’s more than running the processes; it’s managing people, egos, panic, and fires.

“A manual for compliance won’t mean much in a tense scenario when you need people to be able to act on the procedures you’ve practiced.” –Perfecting Cyber Resilience: The CISO Blueprint for Success

3. Building a Resiliency Architecture 

Finally, CISOs should build a resiliency architecture. What’s a resiliency architecture?

One with multiple levels of recovery built into it that doesn’t have to rely on backups and uses things like snapshots to implement the lowest possible recovery times based on an organization’s recovery time objectives (RTOs).

A resiliency architecture can provide near-instant recovery in any situation, resulting in:

• Reduced management overhead
• Improved environmental and sustainability metrics
• Enhanced ability to test and prove the environment is working—and confirm that your recoverability goals are being met

The quicker you recover, the less time, money, and resources your organization spends on risk management, and the more time, money, and resources it can put toward innovation. 

Conclusion 

With a proactive, informed approach, CISOs can navigate the exciting world of AI while still effectively managing risk. They should embrace AI as a powerful tool but never lose sight of ethics. With knowledge-building, collaboration, continuous improvement, and a resiliency architecture, CISOs can lead their organizations into a new world that maximizes innovation and minimizes risk. 

Bottom line: CISOs should never have to choose between managing risk and fostering innovation. With powerful, foundational technology like the Pure Storage platform behind them, they don’t have to. 

Pure Storage was designed to enable innovation and minimize risk. With an Evergreen architecture and a disaster-recovery-as-a-service solution, Pure Storage provides non-disruptive upgradability so you won’t have to worry about data migrations again or your next disaster’s effect on uptime or reputation. 
Learn more about how you can use Pure Storage to drive innovation and run your business without disruption.