CIOReview | | 19 DECEMBER 2024 · Technical (30 percent) · Regulatory (20 percent) · Artificial Intelligence (10 percent) · Administrative (10 percent)The percentages are just an example, but they would likely be close after your initial analysis. When I say crown jewels, it may overlap the other areas, but knowing what drives the company's revenue and what is critical to the organization should be a priority. The CISO function is as much a technical expert as a business leader in our current data-centric world. This requires the CISO and information security group to be a partner and not in the Yes or No business. The technical controls can be adjusted based on the risk of the assets and data, along with the culture of your organization. The culture is important because a company that is not acclimated to strict controls can create user experience issues and can thwart the overall mission. This is where a leader needs to forge those partnerships, get management buy-in, understand the data, and implement accordingly. When we think of risk/cost and technical controls, the following items can provide robust security and not require substantial cost: · Monitoring/SIEM tool · Encryption in-transit · Malicious Activity blocking, not just detention (there is a big difference) · Incident Management Tool · API SecurityIn our new world of seamless data provisioning, these items can provide appropriate data safeguards and not disrupt the business processes that drive profits, innovation, and required data sharing. As always, there is no perfect answer or solution, but this provides a trusted approach and focuses on proven technology.The regulatory and compliance side can be a difficult path to maneuver and is fraught with pitfalls and paradigm shifts in the legislative landscape. Every CISO has it ingrained in them that they need to meet all compliance guidelines, or the world will end. This is not the case, but being adept at what is needed is critical. To meet this need, the following items need to be in place to meet a broad spectrum of domestic/global compliance requirements:· Data/Asset Inventory· Ability to respond to data subject access requests (DSAR)· Data Retention· Cookie Consent/Global Privacy Controls· Partnership w/Legal and Internal Audit How do organizations handle the explosion of AI? It is important to position AI in your organization as not a panacea but a collection of systems and algorithmic processes to maximize your data position. It will take a village to develop valuable models and oversight to ensure proper governance. When building out your respective AI infrastructure, incorporate the following principles into your strategy:· Build responsible AI development (RAID) into your models. Removing bias is critical.· Start with initial models and test on a small scale, low risk, and fail fast.· Avoid using open AI models. This exposes your data, and trusted results may be problematic.· Safeguard the models and build in proper data governance.The Administrative side of the house is the least visible but pays dividends for the entire user base. This is focused on the user training, learning, and communications portion of the program. This requirement spans all areas and makes sure the employees/contractors are well-versed and understand how to safeguard data and be risk-averse when applicable. Another component is communicating initiatives to the user base and explaining/ensuring awareness and buy-in. Managing Cost and Data Risk AI and the New Data Privacy Paradime
< Page 9 | Page 11 >