The business world has been swept up in AI fever, and you can expect it to be on full display at RSAC this week. Almost every corporate boardroom and executive team in America is debating how to get the most out of these new AI tools. And at nearly every company, employees download AI apps to see how technology can help them with their most mundane tasks. And our in-house developers scour the web for the best new data libraries to build on.
Companies are responding to market frenzy. Business software makers, from large to niche vendors, are racing to bring new AI-based tools and features to market. IDC expects corporate spending on AI to grow 27% this year to $154 billion.
Organizations should proceed cautiously. As companies race to adopt AI technology in its many forms, they run the risk of circumventing critical security procedures that sooner or later may be exposed to devastating hacks. This is because many new AI tools are based on open source infrastructure or data repositories. This may require entirely new defensive strategies over many of the proprietary tools that have been in use over the last few decades.
It is more important than ever for CIOs, CISOs, and other technical leaders within their companies to put in place processes that allow security experts to validate the libraries or platforms on which many of these AI programs are based.
Open isn’t always better
A simple Google search will help you find AI-assisted products for almost any common business task. Some of them are free to try. Or, with a swipe of a credit card, employees can get the full software up and running.
This is not a new problem. So-called “shadow IT” (software and devices that employees use without their employers knowing) has plagued CISOs and CIOs for years. But AI can make the problem even worse. Unlike most big-box software used by organizations today, modern AI tools are increasingly built on open source architectures.
A number of data libraries are already available online as part of this open source wave. That number will only grow as companies like OpenAI release their own data sets for developers.
Open source is a powerful tool. But there are risks. As we have seen, some attackers target open platforms. Also, the SolarWinds hack that compromised thousands of data networks a few years ago shows the damage a breach of IT supply his chain can cause. So from a security perspective, we are very concerned about the AI gold rush. As more open AI platforms are adopted, companies are more likely to be exposed to catastrophic IT supply chain breaches.
Fortunately, there are steps security leaders can take to continuously scrutinize open source tools for potential vulnerabilities.
shed light on the shadows
It’s more important than ever for businesses to do their homework and thoroughly research the vendors that can ultimately provide IT services to their businesses. But it’s also important that CISOs and their teams are always aware of the tools their employees are going to use.
From now on, security teams will have to work closely with their development colleagues to certify the vendors they consider and review the security protocols used to protect open source libraries.
Once your internal IT team has verified that your repositories are secure, they can start creating access guidelines that allow employees to download apps of their choice or use specific libraries to power machine learning algorithms.
score the vendor
But that doesn’t mean workers should rush to try every tool available. Weighing the potential value of software against the potential threats it can pose remains important for both employees and security professionals alike.
Vendor scorecards can play a powerful role in assessing potential threats. By taking the time to benchmark IT providers against each other, businesses will have the information they need to decide which provider to hire. Such benchmarks are already standard practice for responsible enterprise IT teams. But AI has created a whole new open source ecosystem of potential vendors and partners for security teams to manage. Companies should document the answers to her five questions:
- What development method did this vendor use?
- Has the vendor performed sufficient code analysis?
- Does the vendor enable dynamic scanning to help detect anomalies?
- What process does the vendor require to remediate discovered vulnerabilities?
- Does the vendor have systems in place to understand the impact on their products in the event of a supply chain hack?
Once that’s done, the internal IT team can decide whether to approve the vendor as a trusted entity. But the work doesn’t stop there. As more open source tools are deployed, it’s imperative that security teams constantly monitor their applications for unknown code and potential security breaches.
Fortunately, security teams can automate much of their day-to-day monitoring, and AI can help security teams do this. This allows analysts to spend more time protecting next-generation AI software.
We understand the excitement around AI, but it needs to be scrutinized. Businesses need to ignore the hype to understand both the true value that software can provide and the risks involved in adopting it. Otherwise, instead of benefiting from the AI gold rush, you may find yourself scrambling to protect your systems from a new wave of AI-opportunistic hackers. For RSAC attendees: stay skeptical and keep in mind these five questions of his and the points I made here in this week’s meeting with vendors.
Indu Peddibhotla, Vice President of Products, Commvault
