AI is transforming both cyberattacks and cyber defense. It’s never been easier or quicker for hackers to evade detection and access sensitive data. Likewise, defenders have never had this much ability to detect and shut down threats.

How can CISOs and other cybersecurity leaders prepare for an AI-driven future while tipping the scales of change towards the good guys? This article shares 6 essential steps to tackle first.

Key takeaways

Top steps to prepare for an A-driven cybersecurity future include: 

• AI-enabled threat detection
• AI-specific risk assessment
• AI governance
• AI infrastructure security
• AI supply chain risk management
• AI training and skill-building

Step One: Implement AI-enabled threat detection and predictive analytics

There is no way that manual security operations can keep up with the velocity of AI-powered attacks. Emerging AI threat detection tools and capabilities can enable proactive, automated prediction, detection, and response at scale.

AI-enabled threat detection analyzes huge data volumes from across the IT environment, including network traffic, cloud infrastructure, web application interactions, endpoint activity, and user behavior. AI can use behavioral analytics and machine learning to filter, analyze, and correlate all these signals, minimize false positives, and detect attack patterns in real-time. 

Rapidly identifying attack patterns that might otherwise be missed improves the efficiency and effectiveness of security team investigation and response. Shorter detection times (from days to seconds) can help limit incident impacts. 

Among the most popular use cases for AI-enabled threat detection is advanced phishing protection, which uses natural language processing (NLP) to accurately spot even deepfaked phishing attempts and other social engineering attacks.

Step Two: Perform AI-specific risk assessment including AI threat modeling

AI systems—including the ones security teams are using to detect threats—pose unique cybersecurity risks associated with AI-specific attack vectors (prompt injection, data poisoning) as well as behavioral and decision-making risks (biased results, data leaks, rogue actions). To use AI to protect your business from AI, your defensive AI must be secure and governed. Otherwise, it could greatly increase your attack surface.

AI threat modeling is a structured methodology to proactively assess and manage AI risk by predicting, prioritizing, and mitigating the cyber threats targeting an AI system. AI’s autonomy, unpredictability, and opacity make threat modeling extremely important as a starting point for risk reduction. Plus, the incredible pace of AI evolution means you need to reassess AI threats frequently or continuously. 

Setting up AI threat modeling in your unique environment is becoming more streamlined as AI automates and accelerates many manual tasks. However, building effective threat models specific to your business takes comprehensive knowledge of AI risks, deep system context awareness, and ongoing model output tuning.

Moving from a prototype to a production-ready AI model will still require significant human oversight and expertise. Another major challenge is the requirement to understand data lineage, training data, and data pipeline architecture to address attacks on AI data.

Step Three: Prioritize AI governance

AI governance is foundational for protecting models from unauthorized manipulation, validating they operate as intended, and building stakeholder trust in AI. Ungoverned AI can cause significant financial and reputational damage, legal/compliance liability, and societal or environmental harm.

Important reasons to prioritize AI governance include:

• AI governance establishes the boundaries and guardrails necessary for sustainable, scalable innovation and return on investment.
• Without AI governance you cannot manage AI risks from biased, unauthorized, or unsafe AI outputs.
• AI governance reduces risks around ethics and fairness, such as biased or discriminatory hiring or lending practices.
• Governance is central to tracking and reporting on AI compliance.
• A lack of AI governance is a big red flag to customers, investors, regulators, and other stakeholders.

AI systems should be viewed as auditable tools, not “black boxes” with unpredictable outputs. All AI systems in use need to come under an operational governance framework to ensure accountability and appropriate usage. 

AI risk management frameworks like ISO 42001 or the NIST AI Risk Management Framework can help ensure comprehensive AI governance and provide critical stakeholder visibility, especially in the absence of regulation. 

You need to be able to answer questions like: What actions are AI systems taking on your corporate applications and data? What permissions does AI have? How is it arriving at decisions? 

Step Four: Maximize AI infrastructure security

Best-practice cybersecurity approaches like zero trust, defense-in-depth, or “secure by design” matter more than ever given the speed and effectiveness of AI-powered attacks. If the infrastructure that AI runs on is not secure, AI systems and data are vulnerable.

Modern, identity-centered approaches like zero trust are especially important to keep AI systems from gaining excessive data access privileges and massively increasing the attack surface. Meanwhile, AI-powered tools can synergistically enforce zero trust protocols like continuous verification and data leakage protection at the speed and scale that AI systems require. 

According to Mike Armistead, CEO at Pulse Security AI, Inc., security fundamentals are indispensable for mitigating AI risk.

“It’s still about understanding your business situation,” Mike advises. “It’s about knowing really well in today’s distributed environments where your crown jewels are and what you have to protect.”

Mike adds: “I think you have to go with zero trust these days. The systems that run the business have to be strong and without a lot of vulnerabilities because now with AI those will be discovered very quickly. If you don’t cover those security hygiene fundamentals, you’re at such a disadvantage.”

Step Five: Proactively manage third-party/supply chain AI risk

About one-third of data breaches originate with a third party, and those parties’ use of AI (e.g., new AI features in SaaS applications) may only proliferate even more uncontrolled vulnerabilities across a complex and growing supply chain attack surface. Businesses need to understand their third-party risks before they can implement effective defense strategies. 

Knowing how partners manage their AI is also increasingly relevant to demonstrating regulatory compliance and “flowing down” requirements to vendors, especially in critical infrastructure verticals like financial services and defense.

A starting point is to assess each vendor’s AI usage and governance in addition to conventional cybersecurity checks. Make sure they are effectively monitoring AI behavior and addressing AI cybersecurity concerns. Look into service level agreements as well. Many SaaS offerings are not mature in these regards, having prioritized time to market over risk management.

For high-risk vendors, prioritize timely communication about AI new features and updates, as well as other changes that could affect your cybersecurity posture. 

Step Six: Invest in upskilling your team for AI

Security staff need to know how to work with AI and machine learning to get the most from AI’s data analysis and algorithmic decision-making capabilities. AI-specific training (e.g., prompt engineering) can help employees work smarter with AI agents and assistants. Training is also essential to help employees spot today’s highly convincing phishing attacks.

With AI accelerating attacks and repositioning defenses, cybersecurity skills are more important than ever. Businesses must upskill their security teams to battle today’s complex and evolving AI-powered threats.

AI tools can take analytical burdens off humans, but human input remains central to handling high-value incident detection and response tasks. Skilled humans are also needed to manage AI’s limitations and overlay strategic judgment on risky AI decisions.

When hiring new security talent to “use AI against AI,” HR experts recommend recruiting talent from diverse backgrounds, as fresh perspectives, critical thinking, and creative problem-solving can be just as important as cybersecurity experience in the rapidly morphing AI-driven future. 

What’s next?

For more guidance on this topic, listen to Episode 158 of The Virtual CISO Podcast with guest Mike Armistead, CEO at Pulse Security AI, Inc.