Kevin Beaver's Security Blog

CIOs: You can’t afford to sit out on security (especially with AI in the mix!)

As an information security consultant, I’ve worked with many CIOs over the years. Some get it when it comes to security… and some not so much. Those who don’t are often the ones calling me in after the fact, cleaning up breaches that could have been prevented with stronger executive engagement. I’ve actually seen people in this role run interference with security. I’m assuming so they weren’t made to look bad…Go figure!

A recent CIO.com article on the biggest issues IT faces today calls out the importance of CIO involvement with security. Issue #9: Security, including third party risks mentions “confidence creates a false sense of security” and “nearly all security risks now are coming from third parties”. I don’t know that I agree with the “nearly all” part given the internal client struggles I see in my work. Still, it’s a big deal. There’s another CIO.com piece on why CIOs lose their jobs: ransomware which is obviously one of the bigger security concerns these days.

Too many CIOs assume security is solely within the CISO’s domain. I’ve been saying for years this mindset is dangerous. In my piece on strengthening information security, I explained why CIOs have to own their role in driving alignment between technology and business risk. It’s not optional anymore.

And now there’s AI. Yes, it offers tremendous upside – things like better threat detection, faster responses, smarter automation. But AI also introduces new risks. I’m seeing employees feeding confidential data into ChatGPT, CoPilot, etc. without a second thought. They have absolutely zero training and expectations have not been properly set. Vendors are shipping AI features into systems without explaining how they work or what data they consume. These aren’t hypotheticals but rather today’s problems.

CIOs must step up and partner across the C-suite to manage these risks. In my piece on cybersecurity teamwork, I argued that security isn’t something you delegate and forget…it’s something you lead from the front.

Where do you begin? Go back to basics. As I wrote in my piece on information security strategy essentials, CIOs must get the fundamentals right first. And, along those same “basic” lines here, my approach to this hasn’t changed in decades. If you’re going to succeed in security, you must:

1. Know what you’ve got (it’s way more systems and information than you think).
2. Understand how it’s at risk (you cannot secure the things you don’t acknowledge).
3. Do something about it (things that are both tangible and measurable).

This approach works whether you’re defending legacy infrastructure or wrangling the latest AI challenges.

Here’s my challenge to you as a CIO: don’t wait for the board to ask how secure you are and where AI play into it all. This week, meet with your CISO. Ask about your company’s biggest security risks and how AI plays into them. If you don’t have a CISO, then your involvement in security is that much more important. If you lean into security now, you’ll still be in the boardroom a year from now. If you don’t, well, you could be on borrowed time.