5 questions Indian CISOs must answer before deploying AI for cybersecurity

Deploying AI to bolster your cybersecurity prowess? Before you take the plunge, take a look at India’s top CISOs sharing their views on what you need to do before you harness AI for cyber resilience.

ai artificial intelligence circuit board circuitry mother board nodes computer chips
Getty Images

CISOs across the enterprise have realized the immense potential of automated threat response and how artificial intelligence helps in making their job a lot easier and hassle-free. The 2019 IBM Ponemon report reveals that 46 percent of security leaders believe automated cybersecurity tools decrease the cost associated with data breaches.

However, AI is not the be-all and end-all of cybersecurity. The bad guys on the dark side of the web are increasingly using sandbox-evading malware that has the capability to fly below the radar and pass through undetected.

As AI transitioned from being an ahead-of-the-curve cybersecurity ploy to an industry norm, security vendors have since capitalized on the ‘shiny object syndrome’, marketing rule-based machine learning algorithms as AI solutions.

CSO India engaged the country’s top security leaders in a tweet chat, through which they shared their two cents on what CISOs ought to bear in mind before deploying AI-based solutions. We also address the elephant in the room – are AI-based security solutions truly artificial intelligence or merely rule-based machine learning algorithms.

Question 1: How effective will AI be in detecting and mitigating threats?

One of the prime reasons for CISOs to leverage AI for cybersecurity has been the time they have been able to save by allowing automation to take over mundane tasks. And it’s not just efficiency, AI can empower CISOs to stay on top of their security game.

Bringing this to light, Shashank Bajpai, CISO at Acko General Insurance says, “AI for cybersecurity can do away with a lot of time-consuming redundant manual tasks and log correlation. Also with the right threat intel feeds, AI can make cyber threat detection more proactive than reactive.”

Make no mistake, though – AI is not a ‘silver bullet’ for securing your organization. Gomeet Pant, Sr. Manager – IT Security and Compliance at Cairn Oil & Gas, Vedanta, believes that while there are promising AI-based products that have come up in recent times, AI can only be one more element in your defence ploy.

Given the fact that AI models are as good as the data fed into it, there have been numerous instances of AI-based security failing or allowing threats to pass under the radar.

A May 2019 IDC global survey reveals that a fourth of organizations already using AI-based security solutions report up to a 50 percent failure rate. So can CISOs ‘trust fall’ assuming AI-based cybersecurity tools will protect them?

Not yet, opines Subhanil Banerjee, Senior Manager- IT Infrastructure and Security at ABP. “AI can really prove to be very effective in terms of behaviour monitoring, but it should always be guided under human intervention,” he explains.

This feedback cycle is imperative to train the AI model and reduce false negatives by allowing it to evolve, learn and adapt.

Question 2: How do I make my AI model more reliable and accurate?

Now what makes AI in security a particularly tough beast to tame is the fact that in addition to false negatives, false positives are also detrimental to security operations. A red flag on a legitimate application or user could throw a spanner in the works – be it by blocking accessibility for an authorized user or blocking web traffic from an unidentified, but safe website.

CISOs ought to remember that AI-based security solutions come with a standard set of policy framework, and in cybersecurity, one size most definitely does not fit all.

Keyur Desai, CIO and Head of Info Security for Essar Group says that AI-based solutions need to be tailor-made according to an organization’s IT landscape and business scenario. Additionally, human expertise to fine-tune scenario-based decisions can go a long way in reducing false negatives.

There’s a harsh reality the enterprise is beginning to finally acknowledge – a lot of so-called AI-based security solutions are in fact just rule-based models.

Mohd. Shadab Siddiqui, Head of information security, privacy, trust & compliance at Ola minces no words when he says, “It's mostly model that has been written and not actual AI, but ML, let’s accept it.”

AI is a double-edged sword – technologies that are available to a CISO are also being leveraged by the bad guys, and that brings us to the next question:

Question 3: With cyber-criminals also deploying AI to study and evolve evasion, what can organizations do to stay ahead in the AI race?

Pant reinforces the fact that CISOs simply cannot afford to get complacent when it comes to their cybersecurity strategies. “Any arsenal ever created will be used by both sides. You need to develop and continually evolve AI strategy,” he adds.

However, Desai believes that CISOs have an added advantage of playing on home turf.

Question 4: Which aspects of security can be entrusted to AI-based decision-making models? And which aspects still require human intervention?

This is one question that has intrigued CISOs since the inception of AI in security practices. While some tasks can be wholly delegated to AI-based decision making, others require a certain degree of human intervention.

Pant believes large consistent sets of information can be moved right away. “Complex predefined algorithms for user behaviour changes can be used to detect anomalies,” he says. 

In Desai’s opinion, AI can be used for parameter-based decisions, but human intervention simply cannot be ruled out.

Question 5: What have CISOs learnt from their AI deployments?

While Pant shares that most deployments in the security space have been for testing purposes so far, his organization is less than six months from a production deployment.

Desai, on the other hand, reveals that although the latest security solutions mostly come with a fair bit of in-built AI, fine-tuning at the initial stages is critical.

Copyright © 2019 IDG Communications, Inc.

The 10 most powerful cybersecurity companies