The CISO's Field Guide to GenAI

[Music] hi folks welcome back after lunch um I hope there were weren't too many carbs on the menu I looked I looked for the salad bar really but couldn't find it uh welcome back um thank you for attending I think some of these tracks you know it's a bit of a competitive situation you know we're fighting for for people to come and listen to what hopefully we value we have to talk about so thank you um let's I've stayed into it you know we've we've heard a lot about gen AI I'm sure you can't turn it around without seeing this and having people ask you about what flavor and what would you like to do with geni and how can geni

save your life or that and I thought it might be an interesting place to start to say where is Gen AI right now and I I just found this video and I thought you might find it amusing and we'll we'll just dive into it so this is what gen AI thinks human movement is like and this is this is how people behave I think this was like when the shrooms and the acid started like really it was just like a bad bad reaction you know I want what those guy was on so sometimes you know we see the stuff that's been generated by Sora and whatever else looks fantastic right but those are very very specific prompts on

very very specific data meant to give you that wow factor uh when you actually ask it to just go wild it does uh I'm not sure how we would ever replicate that but anyway so I think it's important for us you know as as Security Professionals to separate the fact from fiction um cuz I'm I know you guys probably in every day somebody's asking you to do something more and insane and crazy and with less budget or with less people or with the same or can't we just do this with AI and you're like you know it's a coffee machine guys there's only so much you could do with AI in that space so I thought it' be

useful to give cesos a a bit of a a field guide and what I mean by a field guide is that this is kind of a thing that we have within Delo that's a it's a bit of a living document so as the space evolves you know we we kind of populate this we update it with kind of what's happening because it's just so much of movement in the space it's extremely difficult to kind of keep track of what's what's going on so just as an outset got 15 minutes I'm going to whiz through some of the stuff but as a a baseline And I think the slides will be shared so don't don't worry about trying

to memorize stuff and things like that I'm happy to share it but just to give you a view of what gen AI is right why is it so special in you know 20 years ago the big thing in Computing was we're going to use laptops wow you know if you think about mobile devices and where they were 20 years ago to where they are now if you think about your laptop 20 years ago to where it is now the laptop's kind of stayed in the Stone Age it's pretty much the same form factor it's still got a mouse and a trackpad and a screen and all that stuff still takes forever to boot right you've got a processor that

can launch space shuttles and you still got to wait for teams for 5 minutes to figure out what it's doing right but your mobile is is actually if you think about it your Dependable workhouse you pull it out check mails do things browse the web it's quick it's fast it's reliable it gets it done right gen AI is to Computing now what mobile was and is to laptops 20 years ago this is the worst it will ever be and that is the scary thing because it's absolutely not a way of doing things we were in a conversation with a client the other day and they were talking about what does an economist's job look like in 2030 I was like why do

you need an economist in 2030 what does that person do if they just taking data crunching it and giving you an output congratulations that is exactly what AI does the more routine the data the more routine the work the more precise the outcomes the better suited to AI so think about that right this is not just clever marketing and fancy Shenanigans it is actually uh it's a Monumental change it's a shift in the way that we actually think about our own roles sometimes in scary in the world um I know there's a lot of focus around compliance and I can tell you you as a told you guys as a previous ceso 40% of my time was spent on reporting on

stuff you think I'm going to be a ceso that's so cool I'm going to be doing all this incident stuff incident 15 minutes reporting 6 weeks it's like suck the joy out of life tell me but there is a a wealth of legal framework wealth of legal knowledge that is available uh and this is important because it's incredibly difficult to go back and retrospectively make something compliant it's very difficult to unbuild a house and rebuild it so you rather just take cognizance of what's Happening even if some of this regulation is still pretty new it's still emerging as I told you no no one's got the space figured out they will try and tell you that take

cognizance of the of the regulations take cognizance of what you're doing and try and kind of build steer the ship using some good principles good practices right and and also try to steer clear off the pitfalls this thing is not perfect by any means right if you remember the gymnasts one of the the the ones that made it made headlines the other day was hallucination so gen AI you know you take old you create new the new doesn't necessarily have to be real and a bunch of lawyers in New York found this out by using chat GPT to generate uh documents for submission to court and it was cases that were false those cases didn't exist and those doctors uh those

lawyers sorry were disbar now can you imagine when you have a doctor who's trying to use gen patient has a headache blah blah congratulations it's cancer now that's like your Web MD answer gen AI is going to come up with something even more creative right so you're going to have looking for like West Nile Virus and everybody and all sorts of manic behavior because AI said so let's be very clear around there are risks there are limitations right there is a very strong bias focus in South Africa we are not Western Europe we are not Asia we are not North America our per capita our incomes Etc all very different and why this is why it's

important is that AI gets used quite often to kind of generate interest rates for Home Loans so if you think about it it's Gathering a lot of information about a particular person it's kind of looking at what is this person's kind of profile how do they behave where do they live how long have they lived blah blah blah blah blah and then they say well this guy looks like he a good risk primel one but now if you go put in Western European data and you normalize for rans and you realize this guy is living in poverty your interest rate will be like prime plus 10 that's an immediate bias the dates are skewed because the fundamental

underlying fabric of your AI assumptions was wrong so you got to be very careful about when you're buying off the-shelf stuff and using it in your own environments as well right the other bit coming into this is around what is the what is the model of AI that you want to consume we are all very familiar with AI as a service which is the extreme right hand side that's the chat gpts the llamas the claws the opuses all of the stuff that's being built as a service right which has its place it's a very nice sandbox for you and your Innovation teams to go and play see what's available you know ask it to do a

security strategy ask it to go and you know give you a risk framework it is really good at doing that because that's what the models were trained on right ask you to do a BCM plan cool ask you how to roll back crowd strike updates maybe not so cool but you can try right and that's because it is a general purpose model that's been built for that sort of stuff if you're going to do something serious inhouse with your own information where you need to rely on the results and you need to take those results and actually do something that is important to your business you are probably going to go more towards a private internally developed uh

architecture and this is really kind of using those llm tools the Frameworks but using your own data now I don't know about you guys in in in De we have a tool called KX called knowledge exchange which is supposed to be like the you know where you go and find all the answers and you can get lost in there for days and you'll forget what you were looking for but you didn't find the answer so you know if you guys are in that sort of data management Knowledge Management space that's a great use case for your llms put your stuff in you take your strategy your proposals your your information put it in there and make it

searchable make it usable in a way that you didn't think was possible previously that you without like like a flat Google type search and that's a nice way to build business value and actually see whether this thing is actually usable in in your world as well right so that's the that's the modalities from a risk and a cyber perspective they are they are seriously you know a few things that we got to look at and luckily you know lots of very clever guys have given this um given us some thought so the first thing is about AI does have some unique risks uh some of the further slides you'll see some of the risks are also kind of

common across other things because of the underlying infrastructure in fabric but there are some unique risks like the data risk the buyers hallucinations all of that sort of stuff repeatability traceability all of that sort of stuff there's the technology risk and this is really talking about and if you're using Cloud infrastructure or you're using in on Prem it's all the usual INF structure type risks that we know and love that that come into play and then you've got the regulations right and and the regulations are the bits that are actually going to be quite a compelling um case to give us directionally where we need to go so if you are using AI for financial model credit risk modeling all

of that sort of stuff you need to show from input to Output how you got your answer if you're using it in a trading flow environment from input to Output how did you get your answer what is the repeatability what is the traceability because it's it's incredibly important that when people look at the data that you provide that there is confidence in what you're saying you know one of the challenges if you'll try with chat GPT is you can give it the same prompt three times in a row you will get three different answers or three variations on the answers that's not good enough when you're talking about you know really really high high critical and and high-profile and

critical kind of activities like financial and Healthcare Etc you don't want to tell the patients it's a headache or maybe you got shot or maybe you got that that doesn't work right so how do you build confidence on this thing that it doesn't work and there's a whole bunch of um oasp and and miter kind of things to look at as well uh and we'll talk about that in a little bit more detail just now coming to framework I mean it wouldn't be a delight presentation if we didn't give you a very complex framework with lots of blocks and moving Parts uh this is why it's a handout as well so you can have a

look at it but it really talks around you know looking at the threats the risks regulations the standards and trustworthy AI goals trustworthy AI goals is what's been kind of promulgated by the European Regulators but there also a whole lot of things about trustworthy Ai and using what we have now and I think that's the important bit that we go back to our organizations when using what we have now how do we adopt this because there's not going to be you know AI specific firewalls AI specific DLP you'll get the marketing way but it'll be the same old tooling under with an AI sticker on it right so we have to have a plan as Dom

said this morning to get there from here we know here we don't know what there looks like honestly so how do we take the stuff that we have now and kind of look at this in a you know minimum viable product way how do you channel that when the guys who are going to play with this stuff are not just taking you know your entire internet and dumping it onto an AWS cloud storage system and then mining it that's cool for that guy not so cool for you when you've got to go and figure out how do we get our data back has it been lost what's the investigation who accessed it you know all the stuff that

we have to like live with in the real world right so there's there's a couple of things here that that really comes into it and I think it speaks to how does Cyber integrate into the organization again as much as we're talking about this is an AI conversation do we have visibility of all all of these different Innovation streams and who's playing with AI in our world because there are people playing with it right it's it's a usable Tool It's seems to be very valuable um and there's a lot of interest so again Shadow it Dev SEC Ops secure coding practices code verification all all the stuff that we have now that needs to go into that into

that space as well um the one bit that we're finding AI being used for quite quite often and quite use quite usably third party risk management now if you think about your environment right if you're a large bank you probably have 10,000 plus vendors if you're a mining house you probably got a couple of hundred maybe a thousand but there's probably always a handful of guys who are incredibly meaningful to the business highrisk vendors right so third party risk management is an incredibly labor intensive process and by using AI tools to go and mine scrape data Etc and complete questioners and all those sort of things you can actually get a better better handle on your third party risk

landscape and in cyber that's actually one of the first use cases that we are seeing because it's quite a tough problem to solve uh but it needs to be solved the other one we're talking about and we seeing quite often is around audit ready Erp you know and audit ready means that when you go in and the Auditors arrive and they want to see all sorts of you know reports and that sort of stuff the Erp is using an AI engine to generate those reports reports to give to Auditors so you don't have to go and spend days and hours looking for that information and fiting around so there are a couple of very very useful cases

there's a couple of very real cases that you can look at now but that notion that don't worry guys we're going to stick gen AI on top of our Sim and we don't need L1 L2 monitoring anymore cuz it's going to take care of it maybe in 5 years time and there's a road map to get there today we just have weird looking gymnasts cool thanks guys I think we're on time the rest of this is is actually just going into detail about each of these and as I said I'll share these slides so you can actually have a look at it uh and this was just a quick talk right happy to take feedback happy to

engage further for where you guys are and that sort of stuff and have a discussion and let's build community and and and and have this as a talking point amongst ourselves you know in terms of how we share this journey going forward thanks guys cheers