Page 21 - Cyber Defense eMagazine January 2024
P. 21
1. AI development and use will demand solutions.
AI poses new challenges for cybersecurity and regulators are taking notice. Just last week, EU lawmakers
agreed on the core elements to regulate AI. It will require foundational AI models to comply with
transparency obligations, and will ban several uses of AI, including the bulk scraping of facial images. It
will also require businesses using “high-risk” AI to assess their systemic risks and report on them. The
California Privacy Protection Agency (CPPA), the state’s enforcement agency, also recently released its
draft regulatory framework around “automated decision-making technology” (its description of AI), giving
Californians the right to opt-out of their data being used in AI models.
No business can afford to simply ignore AI. Across sectors, the technology will be key to long-term
innovation. How, then, can CISOs ward off the privacy risks that come with AI use internally and by
vendors and other partners?
A first and necessary step is to recognize present limitations. Third-parties are likely to oversell solutions
based on the promise of controlling AI, but we’re not there yet. Before CISOs even think about control,
they’ve got to get a handle on where AI is– and will be– used in their business. Discovering these points,
and monitoring them, have to come before control because no one really knows how generative AI will
evolve. For that reason, CISOs should be wary of any third-party solutions that claim to be able to harness
this technology and its potential consequences.
Rather than buying into an illusion of control, CISOs should tap into their existing toolbox to further efforts
at discovery and monitoring. Traditional tools still have value, even in the generative AI world. For
instance, they can leverage ubiquitous network inspection to find calls to AI vendors unauthorized by the
company’s policies.Data mapping and detection can help cybersecurity teams know precisely where AI
is being used in their organization and prevent shadow IT.
2. Data privacy regulation (and enforcement) will evolve.
When it comes to the data privacy market more generally, CISOs can expect one thing: change.
This is particularly true when it comes to regulation. While some agencies have kept pace with
technological development, enforcement has been another issue entirely. As data privacy expert Anna
Westfelt recently underlined, regulators around the globe currently face crippling personnel shortages
and enormous backlogs.
While this was the case in 2023, other indicators give a better idea of what to expect in the months and
years to come. In particular, data subject access requests (DSARs) continue to increase year over year.
This reflects consumers’ increasing concern with how their personal data is being handled; however, it
also suggests that stricter DSAR enforcement is just around the corner.
For CISOs, this means that in addition to solutions for data mapping and AI discovery and monitoring,
they need to begin thinking seriously about how they can efficiently respond to consumer demands for
data transparency, be it through automated processes or other means. Doing so won’t just protect their
Cyber Defense eMagazine – January 2024 Edition 21
Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.
