AI is the new black, in two senses. First, AI is clearly the fashion of the day as AI week on/Capitol Hill has now turned into AI month and may well have an extended “season.” The other sense in which AI is the new black is that in many ways it is an ominous, and yet so alluring, black hole. One wonders where to begin as we probe this new dimension.
Some direction may be offered by referring to the series of questions the National Association of Corporate Directors suggested to their members in the Cyber Risk Oversight Handbook they published with the ISA this spring. In our earlier post (LINK) we discussed the issues board are asking management regarding their use of AI in general. In today’s post we will turn to the questions boards are asking their management teams specifically regarding the use of AI for cybersecurity.
1 What is the company’s overall road map to implementing AI or ML in cybersecurity?
2. What are the cybersecurity goals the organization’s is trying to achieve by implementing an AI/ML solution?
3. How will the AI solution toughen the organization’s security stance and how will that be measured?
4. What is the estimated harm the company will face if it does not deploy the AI system?
5. What are the new vulnerabilities the company will face due to having deployed the AI system
6. What type of cyber-attack is the system designed to detect, predict and respond to?
7. Is the system prepared to detect and manage a Ransomware attack?
8.How would deploying such a system impact the organization’s cybersecurity team? What are the benefits and risk associated with the tool’s use by the team?
9. Should the company expand or update the cybersecurity team?
10. How much would it cost to update the cybersecurity team for AI?
11. Are there positions the company doesn’t need any more due to this new deployment?
Should the company be creating a new sub-team to monitor the outcomes from the AI deployment
12. Will implementing the AI tool impact the company’s cyber insurance enrollment?
13 Are there potential legal consequences for either deploying or not deploying AI in the system?