CISO Perspectives: Transforming Security with Generative AI


Posted on by Laura Robinson

How are Fortune 1000 security teams using generative AI (GenAI)? What use cases are feasible now? What use cases might realistically emerge in the next few years?

These are the kind of the questions being discussed within the RSAC Executive Security Action Forum (ESAF) community of Fortune 1000 CISOs.1 This week, we’ll see how leading CISOs plan to use GenAI to transform security. And we’ve got some more insights from RSAC’s Fortune 1000 survey on GenAI.

This blog series is based on firsthand experiences shared at invitation-only ESAF sessions by Fortune 1000 CISOs. We’ve summarized those discussions for the benefit of the wider security community. Details have been anonymized to preserve confidentiality. 

Enterprise Adoption of Generative AI for Security

According to a recent RSAC survey of Fortune 1000 CISOs, 72% have already implemented GenAI for security and 98% plan to in the next 12 months.2 However in interpreting these results, ESAF CISOs emphasized that in the next 12 months, the scale and scope of most implementations will be limited. Most security organizations will still be in the experimentation phase with GenAI.

Threat detection is currently the most common use case and prioritizing vulnerabilities is expected to be the fastest-growing use case (Figures 1 and 2). Given how quickly the GenAI space is evolving, these plans may change in the coming months as security teams continue to evaluate use cases.

 Blog 4 fig 1

 ESAF Fif 2 blog 4 

Identifying Priority GenAI Use Cases

Since security workflows vary considerably between companies, each security team will need to determine the best GenAI use cases for their own organization. In a recent ESAF session, one CISO shared the results of a research project their security team undertook to identify and prioritize use cases. 

Over five months, the team conducted interviews across the security organization, asking questions such as, “What problems are so difficult and resource-intensive that we’re not doing them well today?” and “Realistically, which of these processes could we make more efficient with GenAI?” The team also examined the rate of technology development in the GenAI space and made rough estimates of when various technologies might be ready for adoption.

Based on the results, they project that in the next five years, AI could have the largest impact on their security organization in areas that include:

Areas in Security Examples of GenAI Use Cases
Business Operations Produce content such as training materials and handle basic project management tasks.
Incident Monitoring Help perform faster threat detection and automation of common tasks.
Security Assessment Assess compliance with requirements.
Security Remediation Determine the potential implications of vulnerabilities and add context to support remediation guidance.
 

They identified the highest-priority use case as “giving real-time security advice and information to employees.” As we saw in last week’s post, employee assistance chatbots are a common early GenAI project.

AI Impact on Future Jobs in Security

The company’s research shed light on a highly emotional aspect of GenAI: the future of jobs. For most security roles, they expect GenAI to have little impact in the medium term, mostly in relatively narrow areas. The CISO felt it was important to communicate this message to allay fears around job security. Given expected rates of GenAI technology development, the research team projected reduced costs of 10% across their converged security program. 

Another CISO shared their security staffing strategies vis-a-vis AI. Their team is counting on AI to help ease the talent shortage in security. Even though they expect the volume of work to go way up in the next few years, they plan to keep headcount at current levels and use technology to increase the team’s capabilities.

The CISO also shared two examples of use cases they are exploring:

  • Red teaming: Using AI to come up with novel ways to penetrate the enterprise perimeter and suggest these tactics to the red team. 
  • Change management: Using AI to speed up the approval process for system design changes. With AI analysis, they hope to reduce the turnaround time from 30 days to one day.

Challenges to GenAI Adoption

In ESAF discussions, CISOs are generally optimistic about the potential for AI to make security operations more powerful over the next 5 to 10 years. But currently, GenAI adoption in security is hindered by significant barriers such as immature tools, lack of skills, and risk of data leakage, as indicated by the RSAC survey (Figure 3). 

Blog 4 take 4

Multi-Year Journey

Most ESAF CISOs see the implementation of GenAI as a multi-year journey, as the tools mature and security teams integrate GenAI into their operations. Few CISOs have indicated they are drastically changing their security strategies in the short term. However, board members and other corporate leaders often convey a strong sense of urgency to do more with AI. 

CISOs may be under pressure to make major strategic changes immediately even when they feel evidence supports more gradual change. CISOs must be prepared to communicate about the levels of certainty in predictions around AI, justify their security budget allocations, and manage expectations.

Up Next: Tackling AI-Enabled Threats

AI gives security organizations powerful tools, but threat actors are vying for the upper hand. How do some of the most cutting-edge CISOs in the industry view the threat landscape evolving and what’s their long-term vision for security? Check back next week.

Have you read our earlier posts on the Risks of Rapid GenAI Adoption, GenAI Governance, and Securing GenAI Systems?

Read more from the RSAC ESAF community of Fortune 1000 CISOs in the CISO Perspectives series.

____________________________________

1ESAF is an international community. It consists of CISOs from Fortune 1000 companies and equivalent-sized organizations.

2Survey of 100 Fortune 1000 CISOs conducted by RSA Conference for an internal research study in Q2 2024.


Contributors
Laura Robinson

ESAF Program Director, RSA Conference

Machine Learning & Artificial Intelligence

Artificial Intelligence / Machine Learning threat management vulnerability assessment incident response innovation

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs