To fully benefit from the opportunities that AI technologies can bring, organisations need to ensure that the associated risks are proactively understood and managed.

A white paper released this week from the World Economic Forum, in collaboration with the Global Cyber Security Capacity Centre at the University of Oxford, determined that the use of AI cannot be performed in isolation.

“The process has to involve multiple stakeholder groups within the business, including top leadership and senior risk owners,” the white paper said. “Decision-making and investment choices need to be informed by proper evaluation of risks and rewards.

Titled “Artificial Intelligence and Cybersecurity: Balancing Risks and Rewards”, it states that it is crucial that business leaders continuously update their understanding of the technology to keep up to date, and successful businesses will be well positioned to harness cybersecurity as a competitive advantage.

“In the context of AI adoption, this will enable organisations to innovate confidently and build trust in their services and brands.”

Enhance Collaboration

The white paper also determined that there is a need to enhance collaboration between the AI and cybersecurity communities, regulators and policy-makers through dialogues and joint initiatives. “It will also be crucial to establish clear accountability mechanisms for securing the AI supply chain and provide effective incentives for security-by-design within AI products.”

The paper said that the use of AI “is creating an expanded attack surface that might be exploited by threat actors” and as a result, existing methods need to be extended to address new vulnerabilities that are inherent in AI, but that may not be as relevant for more “classical” IT systems.

There is also a need for business leaders to ensure there is adequate investment in cybersecurity controls and tools that are needed to protect AI systems. These leaders also need to ensure that the business is prepared to respond to and recover from disruptions.

It claimed that CISOs need to be empowered to challenge both technology teams, and business teams, seeking to embed the technology within their operations. Security teams should also be equipped with the necessary resources to adapt their capabilities and address new threats arising from AI use within the organisation.

Innovation investments for AI should be coupled with security investments to ensure that security is embedded throughout the AI system lifecycle. “This approach will help organisations define a reusable approach for mitigating complex technology risks, leaving them better prepared for future disruptions.” 

It also recognised that new tools and techniques are required to manage the “novel security vulnerabilities driven by AI.” Providing a list of foundational features to capture best practices for securing and ensuring the resilience of AI systems, further instructions included:

• An inventory of AI applications to help organisations to assess how and where AI is being used, including whether it is part of the mission-critical supply chain, helping reduce “shadow AI” and risks related to the supply chain.

• Ensure that there is adequate investment in the essential cybersecurity controls needed to protect AI systems and ensure that they are prepared to respond to and recover from disruptions.

• Technical controls around the AI systems themselves need to be complemented by people- and process-based controls on the interface between the technology and business operations.

• Care needs to be paid to information governance – specifically, what data will be exposed to the AI and what controls are needed to ensure that organisational data policies are met.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.