Last updated on June 5th, 2023 at 04:52 pm
It’s impossible to avoid it. The Artificial Intelligence (AI) boom is here. Is your organization preparing for AI?
We’re seeing myriad articles about AI regulation and the potential AI holds for industries in the news on a daily basis. In the corporate world, business leaders are considering if AI tools might be beneficial for their organization. Employees, meanwhile, are already downloading apps to help them with their day-to-day, and in-house developers are on the hunt for data libraries to build around.
It’s no wonder AI is top of mind for companies, with business software makers competing and rushing to bring AI-based features and tools to market. A recent forecast from International Data Corporation (IDC) predicted global spending on artificial intelligence will reach US$154 billion in 2023 — an increase of 27 percent over the amount spent last year.
However, this sense of urgency is opening the door to risks, and businesses need to proceed carefully. By moving too quickly, companies could bypass critical security steps that could potentially expose them to devastating hacks. Many new AI tools are based on open-source infrastructure or data repositories, and these might require an entirely new defensive strategy when compared to all the proprietary tools that have been used historically.
Now more than ever it’s crucial for business executives and technology leaders to ensure a process is in place that enables security professionals to validate the libraries or platforms that so many AI programs are based on.
As you consider the benefits of AI and what they might mean for your organization, here are a few important things to keep in mind:
Opening up to breaches with open source
So-called “shadow IT” — software and devices that workers use without their employer’s knowledge — has been a thorn in the side of CISOs and CIOs for years. But AI can potentially make the problem much worse. It’s very easy these days for employees to do a quick online search for an AI tool they believe will be helpful and download it.
Unlike a lot of enterprise software used by most organizations, AI tools are increasingly being built on open-source architecture. As a result of this open-source wave, there are many data libraries available online, with that number continuing to grow as organizations such as OpenAI release their own data sets for developer use.
While open source is a powerful tool, it carries risks — especially as bad actors target open platforms. Consider the SolarWinds hack from a few years back which resulted in thousands of data networks being compromised; this is a prime example of the damage IT supply chain breaches can cause. This is in part why there are concerns about the popularity of AI. As open AI platforms are increasingly adopted, more organizations are exposed to potentially catastrophic IT supply chain breaches.
Fortunately, there are steps that security leaders can take to help continuously vet open-source tools for any potential vulnerabilities.
Do your homework
It goes without saying that organizations should thoroughly research any vendor providing an AI solution or IT services. The security and development teams should work closely together to not only qualify any vendors that are under consideration but to also establish security policies and protocols to be used specifically to protect open-source libraries.
It’s just as important for CISOs and the security team to be educated and aware of any AI tools employees might be looking to implement. When the internal IT team has confirmed that repositories are secure, access guidelines should be developed that will enable employees to download apps or begin using certain libraries to help power machine learning algorithms.
Score the vendors
Of course, this doesn’t mean employees are being given a green light to download any and every available tool. Employees as well as security team members will need to consider the value any software might offer, and weigh that against any threat it could pose.
In particular, vendor scorecards are a powerful tool when it comes to assessing potential threats. Ensuring you thoroughly benchmark IT providers against one another can ensure organizations have the details and insight they require to ultimately choose the best provider to go with. While benchmarking is already a common practice for many IT teams, the popularity of AI has opened the door to a completely new open-source ecosystem of possible partners.
With that in mind, some important questions for organizations to consider include:
• What development methodology did this vendor use?
• Did it conduct sufficient code analysis?
• Does the vendor have dynamic scanning enabled to help detect abnormalities?
• What procedures does the vendor have in place to remediate any vulnerabilities that are found?
• Does it have processes in place to understand the impact to its products in the event of a supply chain hack?
When the benchmarking is complete, the IT team can determine whether to greenlight the partner or vendor as a trusted entity. However, they also have to continuously monitor applications for any possible security breach or unknown code as open-source tools are deployed.(Ironically, AI can help security teams with this, as much of the daily monitoring can be automated, allowing for more time to protect next-generation AI software.)
The excitement around AI is intense — and rightly so — but that intensity has to be matched with heightened scrutiny. It’s important to be able to tune out the hype to be able to properly examine the value the software can truly provide, as well as the risks associated with adopting it.
If not, organizations might find themselves rushing to secure their systems against a new wave of AI-opportunistic hackers instead of benefitting from the AI gold rush.
______________________________________________________________________
Darren Yablonski is Senior Director of Sales Engineering leading teams in Canada, U.S. and LATAM at Commvault. He is passionate about solving the world’s data management challenges using intelligent data services. As a thought leader, Darren has over 20 years of diverse multi-functional IT and customer-facing experience interfacing with executives, leading sales, engineering, cloud, SaaS, project management and ransomware security discussions.
