11 questions to ask before buying AI-enabled security software

Infosec is complicated enough. Add AI/ML into your security software mix, and you may be asking for trouble. Or, choose the right vendor, and you could wind up with the best toys on the block. Here's what you need to know to wind up in the second camp.

Most CISOs likely believe in the potential for artificial intelligence (AI) and machine learning (ML) to transform the information security landscape over the next 3 to 5 years. That doesn't mean they aren't sick and tired of hearing about it. Many would probably give serious consideration to giving up a paycheck in trade for never having to hear the terms AI or ML again. Virtually every security software vendor on the planet is invoking artificial intelligence as if it had magical properties. To make it worse, many vendors don't have the goods.

Do some security software vendors overpromise and under deliver on the benefits of their AI/ML implementations? "Massively," said Dr. Anton Chuvakin, VP and distinguished analyst, Gartner. "Examples range from the more blatant and idiotic 'we have a military-grade AI' to subtle, saying 'we use AI' when they are referring to the use of foundational statistical methods that are 300 years old."

The cybersecurity tools market has played up the term AI to the point that "CISOs and CIOs roll their eyes when they hear about yet another AI-based product," said Tom Bain, VP of security strategy, Morphisec. "I know one vendor that mentions AI 22 times on its homepage."

Dr. JT Kostman, leader, applied artificial and frontier technologies, Grant Thornton, said "most of the companies claiming to have AI/ML intelligence capabilities that I've evaluated have ended up having to admit that their claims were little more than marketing puffery."

That willingness on the part of some vendors to exaggerate or fabricate an AI story is only part of the problem. Almost 60 percent of the IT respondents to a new study conducted for Webroot admit that, while they are aware that some of their software makes use of AI or ML, they're not sure what that means. Moreover, only 36 percent know with certainty how their cybersecurity vendors source and update their threat data. The survey was fielded in late November and early December 2018. It reached 400 director level and above IT professionals, 200 in the U.S. and 200 in Japan.

Many experts and AI-experienced CSOs strongly urge infosec leaders to get in the game so that when AI is an absolute necessity you're not playing catch up with complicated technology. For example, many people grossly underestimate the amount of data needed to train a machine learning model properly. It can take you a while to build up that data. "The mistake that many people make is that AI is about the sophistication of the algorithm. It's not. The key is that AI/ML requires massive amounts of data for training," said Thomas Koulopoulos, chairman and founder, Delphi Group.

To continue reading this article register now

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!