AI, the human factor among CISO’s top challenges in 2023
The impact of artificial intelligence on cyber security, human susceptibility to social engineering, and burnout as a result of skills shortages, are among the top challenges facing CISOs this year.
This emerged at a CISO and chief Security professionals dinner hosted by BCX and Fortinet in Sandton last night, ahead of the ITWeb Security Summit 2023 in Sandton this week.
Leading CISOs and chief security professionals said many of their key challenges had not changed in recent years: these included securing a hybrid workforce, bridging legacy gaps between IT and OT, and crucially – the human factor. “We continue to train and educate users, but someone will still click on a link they shouldn’t,” said one.
I’ll struggle to come up with a definitive response when asked what threat AI poses.
The human problem also extended to securing increased cyber security budgets from business management, and retaining cyber security skills. CISOs are facing burnout and struggling to attract qualified skills, some said.
A new concern CISOs face is AI such as ChatGPT, which has improved the quality of phishing mails and is likely being deployed by cybercriminals to write code faster. “I can answer the board’s questions about how we are mitigating most risk, but I’ll struggle to come up with a definitive response when asked what threat AI poses,” said a CISO.
Low effort targets
International crime and intelligence analyst and ‘cyber criminal profiler’ Mark T. Hofmann gave CISOs the assurance: “We can win this race, and with AI, both sides now have a new tool. It’s both a threat and an opportunity.”
Hofmann said much of what is believed to be true about cyber criminals’ motivations is incorrect, because it is based on interviews with the limited number of cyber criminals who have been jailed. “These are the 1% – the stupid hackers. Free hackers tell a different story,” he asserted. Hofmann has built an in-depth understanding of cyber criminals’ motivation and methods by engaging with them on the dark web.
Hofmann, who will address the Security Summit on the psychology of cyber security, told CISOs that hackers target people using social engineering, because this is the easiest way to access systems. “Hackers have told me ‘it has to be low effort’. Social engineering against humans is still the easiest way to get into systems, because humans are still cyber security’s weakest link. For organisations, the human firewall has to be a top priority,” he said. “Everyone can be hacked. It’s not a matter of intelligence, it’s a matter of attention in the moment.” He cited an example where he had clicked on a malicious email purporting to relate to an online gift voucher he had just bought, days before Christmas.
Everyone can be hacked. It’s not a matter of intelligence, it’s a matter of attention in the moment.Mark T. Hofmann
Hofmann also noted that effective cyber security must be a management responsibility. “It has to be top-down, driven by the CEO,” he said.
On AI, he noted that deepfake audio and video technology had become so sophisticated that it was possible to clone someone’s face and voice based on just one minute’s material. However, emerging idiolect technology was becoming capable of identifying an individual based on their unique use of vocabulary and pronunciation to counter this risk. “AI is not just a threat – it’s also a chance for us to fight back,” he said.
To mitigate risk, organisations needed to focus on more than technology, but also processes and people, in new ways, he said. “We need to make cyber security great again. We need to make cyber security interesting to people who don’t care. Awareness programmes that include phishing simulations followed by training aren’t a good idea – they feel like punishment,” he said. “To convince CEOs to allocate more budget to cyber security, we need to use proximity to shock them – mentioning examples of attacks that happened in their city. We need to use pictures and metaphors to make risks clear and make them care. We could also make the point that in future, cyber security might become a marketing asset, in much the same way that ‘green/eco’ labels are used in food and consumer goods.”
Wayne Olsen, managing executive cyber security at BCX, said user training proves more effective when made personal. “Staff will become more risk aware when you personalise training and make them think about the risks to them and their kids,” he said.
He noted that skills development and partnerships could help cyber security professionals address some of their challenges. “BCX is passionate about both, and we have just taken in our first batch of 20 cyber security graduates to help bring new talent into the sector,” he said.
Paul Williams, country manager - SADC and Indian Ocean Islands, Maxtec in partnership with Fortinet, added that three levels of Fortinet cyber security training had been made available for free via the Fortinet Training Institute to help address the skills challenge. “Cyber crime has evolved so fast that we need more than just the right solutions, processes and people. Beyond zero trust and zero day, we need zero sub-second defence,” he said.