You will have to defend against both types of vulnerabilities because most AI apps and agents include both types of logic.
This means security professionals must learn about how AI works so you can effectively protect, detect, and respond to them.
end 🧵
AI vulnerabilities take the form of biases and fabrications (hallucinations) and are exploited by that poisoning underlying data, or tricking GenAI models (or their defenses) alternate social logic paths - “My grandmother used to tell me a bedtime story about (SECRET DATA)..."
The security implication of this is that the vulnerabilities, exploitation, and defenses you need for AI model use are completely different than deterministic ones (which are still there for the software in your AI apps/agents).
GenAI models produce similar results each time it is run (with exact same inputs). Not identical, but not completely different.
Example prompt: “A cute raccoon peeks out of a box filed with recycled computers and computer parts on a cream background in a 3D hyper-surreal style.“
Unlike deterministic classic software (exact same outputs every time it runs with the same inputs), Generative AI is stochastic - it is random within a range of similarity, like a fairly consistent scatter-plot.
AI Inherits speed and scale from the GPUs it runs on, but it inherits unpredictability from the (social) human data it was trained on.
a short 🧵
What does a CEO need to know about cybersecurity?
See the (draft) Security Roles and Glossary standard for what knowledge, skills, & abilities are required of CEOs, board members, and other leaders (as well as accountabilities, fiduciary duty, & more).
publications.opengroup.org/s252
The fiduciary duty and accountability obligations associated with security are documented in the Security Roles and Glossary Standard Parts 2 and 3.1 - publications.opengroup.org/s252 (draft standard, feedback is welcome).
Open FAIR™ standards are at publications.opengroup.org/t230
end 🧵
Blaming/firing/punishing security experts for events out of their control (conducted by criminals who exploit risky decisions made by business teams) is NOT an effective approach.
Threat actors can damage the interests of those shareholders and business assets, so those leaders have an obligation to implement effective security management.
b. Fiduciary duty - Relate how security is part of the legal obligation that organizational leaders have to act in the best interest of the shareholders (owners) of the organization.
- Relate security to something they already know
a. Financial terms - Quantify cyber risk using Open FAIR™ or other methods to clearly frame security in familiar financial terms (but don't devalue human life, safety, health, etc. impacts that go well beyond financial risk).
- Intentionally avoiding technical and 'one-time' language (problems and solutions, etc.) in the words and phrases you use to talk about security.
There are several techniques to correct this misperception:
- Educating leaders with clear storytelling that describes cybersecurity as crime and espionage on computers (which it is) that clearly requires keeping up with human adversaries
If CISOs and security leaders communicate security in technical terms (via metrics, choice of words, budget justification, etc.), then business leaders will naturally expect it's a technical 'problem (to be solved once), not an ongoing business risk/force to be managed.
Cybersecurity is often incorrectly seen as a 'technical problem' that can be 'solved' (it isn't!) by business leaders & others.
*Security is an ongoing risk that requires ongoing work.*
Security leaders often accidentally create or reinforce this misperception.
a short 🧵
We also must recognize that we all bring different skills and knowledge to the table. Cybersecurity is complex , but so is prescribing medicine, finding a vein to inject it, choosing material for a bridge, testing new chemical formulas for aircraft lubricants, and many others.
We must also recognize that each of us is paid differently - we have different incentive/reward structures that are required for our roles and our bosses. What motivates each of us is different, but we have a lot of common ground.
Think security can do it all on our own?
WRONG!
We must recognize that we are part of a larger team and each of us has a different part to play in protecting the organization.
short 🧵
This standard covers 72 roles across security, technology, and business teams), up to and including the jobs of CEOs and Board members.
This talk is based on the security roles (and glossary) standard from The Open Group defining security roles, security accountabilities on business & IT teams, and what happens if any of those 'jobs to be done' isn't being done.
I covered who does security work (and who should be doing it) - focused on hard-hitting advice across topics including antipatterns (common mistakes) & tips for risk management, career management, accountability structure across business/technology/security teams, and much more.
The video for my 'What's my job again' talk from BSides Tampa has posted
Video - www.youtube.com/watch?v=uVAA...
Slides - www.slideshare.net/slideshow/wh...
Roles standard - publications.opengroup.org/s252
Nice!
I love to hear that you turned that energy into positive outcomes! (it doesn't always happen :-)
100% agree!
Part of our job is to advise and educate our professional colleagues. I made this graphic for business leaders, but it also applies to practitioners supporting other folks
From Part 2 of publications.opengroup.org/s252
We must respect other professions and professionals the way we want to be respected as cybersecurity professionals. We are just people trying to do our jobs and so are they.
end 🧵
We need to explain things by making analogies to similar common things they already know (fire prevention, kids safety, etc.) or professional things they already know (safety briefings in petroleum industry, liability in legal industry, etc.) so its clear and easy to them.
If we think people should have basic cybersecurity knowledge (and we need them to!), we must take the time to talk to them in _their_ language.
I know a lot about cybersecurity, but you don't want me to do 'basic' medical tasks like finding a vein in your arm to inject medicine, designing a 'simple' bridge for people to drive over, mixing a 'simple' chemical formula, or other 'basic' tasks in a different profession.
