CISO Dinis Cruz talks about how a research project on using GenAI for better board communications became a new platform for users.
Imagine the situation: you need to communicate a message to the members of your board, but they all have a preference on how they like to be informed, and invariably they will come back with a variety of questions which will take the rest of your week to complete.
Surely there is a better way of doing this, and could the answer be with AI? Dinis Cruz is an experienced CISO for multiple businesses and recently announced the launch of The Cyber Boardroom, using generative AI (GenAI) to help boards, directors, and executives “learn, engage with, digest, and very importantly, act on cybersecurity topics and information presented to them.”
In the launch announcement, Cruz said a common theme in CISO discussions are the significant cybersecurity challenges faced by C-level executives and boards, and their companies' ability to effectively prevent, react and respond to cybersecurity incidents. This can include new regulations are introduced, increasing their need for cybersecurity preparedness - at both a security and business level.
Speaking to SC UK, Cruz explains that his concept for The Cyber Boardroom is to apply the logic of GenAI, as he can tell GenAI what problem he wants to solve, present his data points, with information and questions, “and ChatGPT is able to connect the dots and give me really good answers based on the content I provide - and that is what we never had before.”
Getting the Answers
So is it like putting a series of data into the portal and getting the answer? Like a calculation? Cruz says that is more like a Google search, while using GenAI is more like “I need to calculate the area of this box, what is the best way for me to calculate? What is my approach to do that?”
He explains that what boards often want to know is the answers to three questions: what's going on? Do I care about it? Should I do something about it?
In the case of the board getting a communication from the cybersecurity team, Cruz says there is often a senior person trying to understand what they've been given, or what their responsibilities are, and what should they be aware of.
“They need to understand what they've been given, including ‘what is this thing’ that they just received from their CISO,” Cruz says, adding that this is the key part of The Cyber Boardroom - knowing who the recipient is, and how to scale communications to them.
The Correct Tone of Voice
Cruz says the CISO would typically provide one set of data, and if they were able to, have some direct conversations with the board and adjust the messaging, but never be able to scale the communication networks.
“Because if you think about it, I need to communicate not just to six stakeholders on the board plus seven executives, and every one of them needs a different message, a different tone of voice, a different language, a different culture, and they care about different things” he says.
“Here’s something that I want to communicate in six, or 20, different messages, which could go from a TL;DR to six paragraphs to ‘you could go to jail here’.” In other words, meeting the preference of board members on a personal level.
This is where the customizability of The Cyber Boardroom is unique, as Cruz says using LLMs you can provide the source material, determine the intent and provide for the audience.
“For me, this goes to the heart of why I think GenAI is going to be such a massive change. Because in the past, all of that was crazy, engineering costs and now that becomes a prompt,” he says.
In particular, these prompts can be adding different languages, and adding actions to be taken, so the executive can request the questions or the message to send to the team about that.
“My problem wasn't that I was doing a good job,” Cruz says. “My problem was, how do I get the executive to understand what actually we do? That bit of translation is where I feel that we're going to see massive changes in our security environments, because a lot of our security tools tend to address one bit at a time, but now you can connect the dots way more efficiently.”
Next Steps
In developing the portal, Cruz admits he has been developing the idea for around nine months, and at the time of speaking The Cyber Boardroom had over a hundred users. Cruz says with more investment, he will be able to add more features, but as this is serverless and driven by GenAI bots and agents, Cruz says the level of investment is achievable.
Concluding, Cruz admits the issue in the past was communications was not that it was very hard to do, but as soon as one of them asked a question, “you were back to square one." If we are out of the internet age and into the time of AI being used in business, we need to consider how GenAI is used, and Cruz may have hit on one of the early examples.
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.