CISO Chat(GPT): How Top Brands Are Using AI in Cybersecurity
This article originally appeared in SC Media.
When it comes to cybersecurity, AI presents a double-edged sword: dangerous in the hands of threat actors, but also a powerful tool for cyber defense. That was the clear theme of a CISO panel I hosted during our recent Vision 2024 conference.
During the session, I chatted with top security leaders from some of today’s most well-known companies: Choice Hotels, Domino’s, and the National Football League. They exchanged first-hand observations of how AI has changed the threat landscape and how it can help secure organizations from those threats.
Here’s a recap of some of the most interesting aspects of that conversation, with ideas for other CISOs looking to elevate their own cybersecurity strategy with AI.
AI Threats Target the Email Inbox
Email continues to be the biggest threat vector in today’s organizations, largely because of its massive user base of vulnerable humans. Today, humans are often the weakest link in an organization’s security posture and threat actors know this, and that’s why so many leverage manipulative social engineering tactics in their phishing and business email compromise attacks.
As security professionals, we’ve invested a lot of resources into awareness training programs that educate users on how to spot social engineering red flags in emails, like misspellings and poor grammar. And while that was effective five years ago, generative AI has forced us to reconsider our defensive strategies.
Many companies use generative AI to write compelling marketing emails that boost open and response rates. Now, imagine how threat actors might exploit this same technology for nefarious purposes. With publicly available tools like ChatGPT, threat actors can drastically improve the scale and quality of their attacks, using generative AI to create larger volumes of messages that are error-free, mimic the tone and context of real people, and might even get accurately translated into local languages. That means faster, more human-like, and ultimately more effective social engineering attacks.
Some Real-World Scenarios
NFL CISO Tomas Maldonado says the sports and entertainment industry experiences a blurring between cyber and physical spaces. “We have people who sit in our venues who not only watch and enjoy the game, they’re also interacting with our digital assets,” he said. For example, the NFL exclusively offers mobile tickets. If a user expects tickets to a big game, attackers could use this as a phishing lure to compel them to click on a link or open up a malicious attachment.
Maldonado continued: “We also have specific parts of our business that are constantly a target for attack, whether it's disrupting our content streaming or trying to get inside information around players.” AI-generated threats exacerbate the NFL’s security challenges, requiring NFL security teams to strengthen defenses against attacks both inside and outside the arena.
Meanwhile, in the hospitality industry, social engineering often preys on the tendency of employees to focus on customers. “We train our hotel employees to be warm, welcoming, and inviting. We want to accommodate our customers and threat actors prey on that,” says Choice Hotels CISO Jason Stead. “Fraudsters are the last thing you’re looking out for when helping a guest at 2 a.m.”
Since many hoteliers are franchisors, some hospitality CISOs assist franchisees with their cybersecurity alongside their corporate environments. “This is a threat we’re all facing because attackers aren’t just going after one hotel,” says Stead. “They are targeting specific hotels as an initial attack vector to go after the broader corporation.”
Combat Malicious AI with Defensive AI
Fighting back against the growing AI threat will require the security industry to step up its own use of AI. As security professionals, we all agree that we should leverage AI for the same reason threat actors are—it’s a force multiplier.
While it’s impossible for any organization to become fully immune to attacks, there are major opportunities to use AI tools to reduce the volumes of attacks that security teams need to investigate and remediate, especially as those attack volumes rise exponentially through the weaponization of AI.
"Today, if a new product I’m looking at doesn’t have at least some AI capability in it, I’m probably not going to purchase it,” said Stead. He also mentioned that he simply can’t scale staffing enough to operate his security team at the highest possible level, so AI tools help bridge the gap.
Security teams now use AI to improve their security posture through AI-based threat detection. By learning and establishing baselines for typical user behavior, these tools can detect anomalous activity that may indicate a potential attack, and automatically block those attacks without human intervention. According to Anthony Albrecht, the CISO at Domino’s: “If AI-powered security solutions can automate 90% of detection and remediations with very few false positives, security teams can focus on the 10% of threats that do get through.”
Maldonado echoed this as well: “Because we have minimal resources, we're not going to be able to hire hundreds of people to do everyday operational tasks. We need these tools to help us cut through the noise to then identify and mitigate the most significant risks.”
CISO Collaboration Can Drive AI Security
We have to remember that CISOs are still trying to figure out this emerging and ever-evolving AI technology. No CISO has perfected an AI-powered cyber strategy yet, and getting there will require multiple streams of collaboration among stakeholders within each company, as well as with industry peers.
During our conversation, the NFL’s Maldonado recommended creating an AI council or review board within the organization to evaluate new AI technologies and determine appropriate AI governance. It’s also important to have industry-level collaboration to drive an exchange of valuable information and best practices amid such a fast-moving technology space.
“I'm bullish about leveraging knowledge and co-sourcing it throughout the industry,” said Albrecht. Meanwhile, Stead has joined the board of RH-ISAC, which operates as a central hub for sharing sector-specific cybersecurity information and intelligence, and continues to rely on his industry peers to learn their best practices when it comes to AI.
Despite the risks of AI on security posture, I’m optimistic about its defensive potential, as are my CISO peers. As we said in the session, if we prioritize solutions designed with AI features at their core, look for opportunities to augment threat detection with AI, and follow up with ongoing peer collaboration, those are three great places to start.
Watch the entire on-demand version of the Vision 2024 conference to get insights and best practices from industry-leading CISOs, the Secret Service, and more.