Using Artificial Intelligence in Cybersecurity to Assess Risks
Artificial intelligence technology is growing and evolving rapidly. That presents challenges. With generative AI creating text and images that can be almost indistinguishable from the real thing, misinformation, disinformation, and outright fakes are harder to spot. And it provides tools that hackers and scammers can use to defraud you. But artificial intelligence also provides opportunities. Using artificial intelligence in cybersecurity can help consumers and companies better assess risks and keep us safer.
See The Intersection of AI and Cybersecurity with Paul Valente for a complete transcript of the Easy Prey podcast episode.
Paul Valente is the co-founder and CEO of VISO Trust. Before that, he was a longtime Chief Information Security Officer (CISO) and security professional at companies like Restoration Hardware, Lending Club, and ASAPP. In his career, he has focused on companies that are navigating the process of relying on other companies to help them do what they do. That’s what led him to found VISO Trust. They work with companies to use artificial intelligence in cybersecurity to assess risks. Their services help companies quickly determine the risk of doing business with third parties.
Personal Experience with Cybersecurity Incidents
Paul has been involved with numerous cybersecurity incidents at companies that he has worked with, worked for, or contracted with. Being involved in those incidents was a key learning experience for him as a security professional. In 2001, for example, he was working for a subsidiary of Bank of America called Bridger Commercial Funding. The Nimda virus took down the entire company. For a solid month, Paul worked around the clock to get the company back in business. While he has now been involved in numerous serious security incidents, that was his first. He learned a lot from the experience.
Everybody’s data has been breached somewhere.Paul Valente
There’s a cybersecurity maxim that says, “Either you have been a victim of a cybersecurity incident, or you don’t know you’ve been a victim of a cybersecurity incident.” Everyone’s data has been exposed in a data breach at some point. Attacks through phones, emails, and texts are increasing as criminals “test the locks” on our security. It makes communication more difficult and inefficient.
Paul gets calls from family members all the time asking him to verify things. Is it real? Should they click? They already clicked, so what should they do? Scammers are quick to employ new tools. By using artificial intelligence in their scams and bots, it’s getting harder for even the savviest consumers to spot what’s real and what’s a scam.
It’s a constant arms race … unfortunately, those of us as end users [are] not completely protected.Paul Valente
The Need Artificial Intelligence in Cybersecurity
When Paul first started getting into a cybersecurity career, companies had their own data centers, infrastructure, and computers. Only a few companies were sharing limited amounts of data with other services. In the past twenty years, that has completely changed. In the industry, the process is called “digital transformation.”
The idea behind digital transformation is companies specializing. There are companies out there who are excellent at reputation management, others who are excellent at cloud storage, still others who are excellent at website hosting. For many companies, it makes more sense to use services offered by other companies than try to do everything in-house. Take marketing for an example: Large enterprises rely on sometimes hundreds of marketing apps and tools, each of which serve a particular function. They rely on even more outside apps, tools, and services to run the rest of their business.
As a consumer, when you work with a company, interact with a business, or even visit a website and share your data, you’re also sharing it with a whole ecosystem of other companies. Often, you have no way of knowing what companies are in this ecosystem, so it’s difficult to fully understand what’s happening to your data. On the business side, it’s challenging for companies to manage data security across hundreds of relationships in a business ecosystem.
Artificial Intelligence in Cybersecurity Improves a Broken System
VISO Trust uses AI technology to help companies make better decisions. By using artificial intelligence in cybersecurity this way, they put the companies you share your data with in control. VISO Trust lets companies make good risk assessments and decide who to do business with before they share your data with risky companies. Think of it as a foundation of trust underpinning these complicated business ecosystems.
Historically, ensuring security in these business relationships is very difficult. In the past twenty years, the reality has changed drastically but the methods haven’t. The most common method is still long questionnaires. Paul used to work on a small security team for a company that did corporate social responsibility software. Fortune 1000 companies would reach out to him with questionnaires that had three thousand questions – or more. He had to weigh the options of hiring another person to keep improving security, or hiring another person to answer questionnaires. Ultimately, he had to choose the latter, because answering those questionnaires for other companies’ outdated risk assessment process was the only way to stay in business.
Not only are questionnaires inefficient and slow, they are ineffective at reducing risk – and often result in a false sense of security. Sometimes they are filled out by salespeople who only know what their sales literature promises, not what their product actually does. For companies who do have security personnel fill out the questionnaires, the answers will be more accurate but the product will be at a disadvantage because the security person is filling out paperwork instead of improving security.
Artificial Intelligence in Cybersecurity Streamlines a New Process
The current risk assessment process is broken, which is what VISO Trust is attempting to solve. By using artificial intelligence in cybersecurity, they can streamline the process. Their AI focuses on real information and automatically extracts data. This is already an improvement on questionnaires, as the data quality is guaranteed and it’s gathered much faster. And it’s not just gathering data. By using artificial intelligence in cybersecurity, VISO Trust can vet systems and make sure everything is in place and doing what it should be doing.
The VISO Trust process takes vendors five minutes. All they have to do is provide any internal documentation, third-party audits, or other data they have about their systems. The AI extracts the data and turns it into a custom risk assessment for the particular business relationship. This process puts businesses in a position to get good data and make good risk decisions. In addition, Paul often gets happy letters from vendors about how much quicker and easier using artificial intelligence in cybersecurity is than the old process. And it can give end users comfort that the companies they are giving their data to are doing their due diligence, analyzing the risks, and taking their data seriously.
Artificial Intelligence in Cybersecurity Creates a Culture of Transparency
One of Paul’s goals with VISO Trust and using artificial intelligence in cybersecurity is to create a culture of transparency and honesty around security and data protection. Companies need to be open about the programs they use and their security. That includes shortcomings and breaches, because that is our reality today. Security is not a problem you can solve – it’s a constant evolution. It takes constant diligence, effort, and investment to keep things secure.
You’re not going to ruin your brand from having a breach today. Today, it’s really how you handle it.Paul Valente
When it comes to data breaches, it’s not a question of whether or not it will happen to a company. At some point, it will. The question is how the company will handle it, what steps they take to keep customers informed, and how they help customers protect themselves. There is a wide range of responses from companies that have had data breaches. Some work with legal teams to find legal arguments that they don’t have to tell anyone. But other companies believe in transparency. And companies that believe in transparency are ultimately rewarded.
The Risks of Artificial Intelligence in Cybersecurity
From a consumer standpoint, a big risk of artificial intelligence in cybersecurity is that criminals can use it to defeat our training. Many people have been trained to detect scams, phishing, vishing, and other common tactics. Common signs include anomalies, grammatical errors, and anything that makes you go, “That doesn’t seem quite right.” With the release of tools like ChatGPT and generative AI that can create images, it’s much easier for scammers. They can create a grammatically perfect, legitimate-looking phishing message quickly and easily. Many of those common “tells” of scams won’t be reliable anymore.
A lot of those red flags that we’ve been trained to look for, we’re not going to be able to rely on anymore.Paul Valente
AI bots will also get better and better at simulating humans. This can be useful for some things, like businesses’ automated support bots. But scammers will also be able to use this to imitate real people. Paul got a message from a scammer’s AI bot a few months ago. It was pretending to be someone he hadn’t talked to in a while. It asked how he was doing, and Paul asked how it was. It responded by talking about getting its booster shot – a normal conversation in a pandemic context. Paul sent a few messages back and forth with it before he picked up it was a bot.
For any kind of text or chat conversation, we are going to have to think harder about what we’re seeing. It’s no longer enough to ask if it talks like a normal human. We also have to question if this person would really be talking to us about this right now. Maybe it isn’t them. It’s going to get harder and harder to tell.
Consumer Protection from Misinformation
For consumer protection on the whole, we will need to push for the creation of tools and services that can help us discern real information from misinformation. Misinformation has been a hot topic for everyone since a little before the pandemic. But AI tools have kicked it up to an essential concern. It’s becoming a big challenge for humanity.
We’re going to have to start thinking that just about everything we get digitally is fake.Paul Valente
For images, video, or text – anything that we see online – our default assumption should be that it’s fake. Unless we can easily attribute a source and get the facts, it’s safer to assume it’s not real. This is not the end of the world. But it is definitely a new set of challenges. However, it is also a new set of opportunities. There is a huge opportunity for companies that can watch and monitor AI and apply artificial intelligence in cybersecurity to create guardrails that build trust.
Artificial Intelligence as a Utility Risk
Artificial intelligence in cybersecurity has a lot of potential. But there is also potential for the opposite. Artificial intelligence can easily become a utility risk, allowing people who don’t know anything about hacking to use AI tools to hack into systems. Paul is certain that this will happen eventually. In fact, it’s already happening with social engineering. Scammers are using AI to improve their social engineering schemes, and they have grown by leaps and bounds in just the last few years.
But the good news is that this is going to happen incrementally. Artificial intelligence technology is growing quickly, but its capabilities are not all developed at once. This incremental development will allow companies to implement artificial intelligence in cybersecurity, making security smarter as the hackers get smarter. There will be complexities there to handle. But even though it will happen, it will happen incrementally.
How VISO Trust Successfully Uses AI
In AI, there’s a concept called the “problem space.” The problem space is the size of the problem you’re trying to solve. When you hear about people trying to create sentient beings with AI, that’s applying AI to a problem space that encompasses the entire concept of human language and the whole of human experience. That’s such a big problem space that it’s not even close to possible today.
The secret to success in AI is having a small, clearly-defined problem space and a lot of data. When Paul worked with ASAPP, they focused their AI on customer service automation for airlines, telecommunications, and banking. These are finite spaces, and they could deliver really great results. They take the same approach at VISO Trust. The VISO Trust AI is focused on automated interpretation of language that describes practices, controls, assurance, routines, and technology related to security. The modes are designed to evaluate security language and security language only. Because the problem space is so narrow, they’ve had great success.
VISO Trust also supervises their AI to make sure the data they get from artificial intelligence in cybersecurity is accurate. AI can sometimes “hallucinate,” or tell you something that isn’t anywhere in the data. VISO Trust’s AI works with an expert in the loop supervising it. They also get their results tested and verified, and use third-party risk auditors to help train their data models. They want to make sure their customers get information that is as accurate as possible.
What Artificial Intelligence and Cybersecurity Means to You
Artificial intelligence can seem like a complicated topic, especially if you’re not a “techy” person. If you want to know what you need to know about it, how it will impact you, and what you should do, there are some steps you can take. First, educate yourself. Sites like Wikipedia are a great resource. Search for and read things about trusted AI.
Also keep an awareness of what you are doing and where you are interacting. Think twice about sharing information. Be even more careful when you receive messages via online chat, email, text, or phone call. Paul recommends outbound voice verifying every transaction: When anyone asks for money, take time to hang up and call them back on a number you know to verify they are who they say they are. Take steps to clearly and unmistakably confirm the identity of everyone you’re talking to before you send either information or money.
- Easy Prey Podcast
- General Topics
- Home Computing
- IP Addresses
- Networking Basics: Learn How Networks Work
- Online Privacy
- Online Safety
Many parents assume that grooming is something that happens to other kids, not theirs. But that assumption…[Read More]
In an era where cyber threats are a constant risk rather than a possibility, businesses cannot afford…[Read More]
Knowing the specific version of your operating system (OS) is crucial for a variety of reasons. The…[Read More]