Demand for skilled security professionals remains strong, but it’s being tested by the economic uncertainty that accompanies an election cycle.

Economic uncertainty typically spurs companies to cut spending, and many consequently have either had big layoffs or major restructurings. That’s probably leading to hiring freezes until companies sort out where they stand internally. Executives may also be shifting priorities, and reevaluating security needs while they explore how to optimize current staffing before bringing in very skilled new hires.

If you’re a CISO looking for a new role in this climate, you should probably be thinking about four things:

Highlight the value you bring: Showcase your experience in managing security, mitigating risks, adopting to an evolving threat landscape, and your experience with budgets. One of the keys to building a case for your candidacy is thinking about what type of CISO you are. Are you a CISO who is good at being a builder, the early-on security hire who essentially must do everything while building the organization? Or are you a good security operator, who’s very good with budgets and security operations, and can take an existing program and continue to develop it? Or maybe you’re a transformer, the type of CISO who comes in post-breach or post-incident to an organization that needs a major security overhaul?

Figuring out what type of CISO you are will help you to frame your strengths best.

So, too, will figuring out what size organization you’re suited for. If you’re used to managing a lot of people, odds are that the startup world isn’t for you because there you’d be doing everything until the startup reaches critical mass. When you’re creating your CV, there will be different things to highlight depending upon the size of the organization you’re looking at, and whether it needs to be built from the ground up or transformed.

Understand the industry you’re looking at:  How do you highlight your industry knowledge? Some sectors are highly regulated, while others are not. Understanding the specific security challenges for the industry you’re looking at is crucial.

How do you network strategically as a CISO? Do you attend industry events? Are you connecting with your peer CISOs at different groups? Are you connecting to different recruiters? Oftentimes, other CISOs become aware of certain job openings even before recruiters do. How you build and leverage your network is important, as is the kind of brand that you bring to your network.

Demonstrate you’re current with the appropriate skills: Security is one of those industries where you need to be a continuous learner or you get left behind. You need to demonstrate your commitment to continuous learning by staying on top of technological developments and changes, such as cloud technology, blockchain or AI.

Compensation for security professionals varies widely. If you’re looking for a seven-figure opportunity, you need to understand that there are far fewer of those than there are going to be mid-market. Competition will also be fierce. The big determinant of salary is not only the experience you bring to the table, but also, the size and scale of the organization you’re looking at. Not all CISO roles are created equal in terms of authority and scope of operations.

Many organizations are now looking for CISOs because they understand they need them, but some might be offering compensation that’s below the average market value because they don’t have an understanding of the role. In those cases, it’s the job of the recruiter or HR to help them do an accurate discovery of where salaries are and help the company level-set expectations.

Within the past four or five years, there’s been an improvement in the specialist salary reports that are being published. But most organizations buy a generic IT salary report, and those do not tend to be a good reflection of security salaries. Consequently, HR is not necessarily getting the best data from outside since it’s not looking for security-specific salary reports.

Because of the new SEC regulations on security, demand for CISOs will increase. One of the big considerations candidates need to take into account is whether they will have the accountability and the authority to actually get the job done. Where does the CISO report in the organization? If there is a regulatory requirement, I would be fairly hesitant about taking a role where messaging has to go through multiple levels of management before it gets to the right person.

As always, finding the right opportunity is key to any job search.

The post Consider This When Looking for a New Role appeared first on Security Current.

AI and ML systems need ongoing oversight to ensure their performance remains ethical, optimal and functioning within an anticipated operational threshold. System decisions, algorithms and data sources also need to be systematically evaluated to ensure compliance with internal policies or external regulations, ethical standards and organizational objectives.

In combination, the importance of doing both continuous monitoring and auditing is to assure performance. To make sure the system is performing as expected, you need some form of risk mitigation to help identify risks early. Are there biases? Are the productions incorrect? Are you potentially having data privacy issues?

And lastly, you need to take steps to make sure the public has trust in the system. Continuous monitoring and auditing is another means of assuring trust to key stakeholders that the system is functioning and there is accountability for it.

Following are key steps and strategies that need to be taken to implement effective monitoring and auditing:

* Set out clear metrics and KPIs to define what successful operation of the AI and ML model means.  These metrics should provide reasonable insights around things such as accuracy, fairness, privacy or any other essential criteria.

* Figure out how to implement real-time monitoring tools. There is a lot of software out there that can track the system’s operation in real time.  You want to make sure it is able to flag anomalies, alert changes in performance, and detect change in usage or patterns. This will allow you to set alerts based on your monitoring criteria.

* Have an independent party conduct regular audits. You don’t want the team that’s created the model and put it into production to do the audit. You want an internal or external audit group who can take an unbiased look. If it’s an internal group, it must have the right level of expertise so it doesn’t have to rely on the AI team to understand what’s going on. You want unbiased auditors who can review the usage of algorithms, the data sources, the decision-making process, and whether it is compliant with regulations and ethical standards the organization has defined.

* Establish a continuous loop to give the AI and ML teams feedback from monitoring and auditing. Put a mechanism in place to action and follow up on any issues that might be found.

* Set out guidelines for transparency and reporting. Reporting should go to stakeholders and cover things such as the validity of data sources, any findings, and any potential biases. Accountability requires that any findings go to the right level, and not just to the team that’s designing and operating the model. Perform an ethical compliance check to make sure operations are following ethical guidelines. That would involve assessing the model for its decisions to make sure there is no potential bias or discrimination inherent in the system.

* Assess data quality. Continuously monitor to assure that data sources used in the model are still relevant and that there is quality control around those data sources. If you are using bad data to train an AI model, rest assured you’re going to have a bad outcome.

* Implement security monitoring to detect any potential breaches, vulnerabilities or abuse of the model.

* Make sure the auditing and monitoring team is trained by the appropriate external sources to spot potential issues. They need to be updated on the latest regulations, and understand what best practices are in the use of AI and ML.

Continuous monitoring and regular auditing are key parts of AI and ML. It’s not something you do once and hope for the best. 

The post Implementing Effective AI and ML Monitoring and Auditing appeared first on Security Current.

When using artificial intelligence and machine learning models, transparency is of utmost importance.

It is essential to have clarity and openness around how these systems operate. Decision-making processes and algorithms must be clear and understandable not only to the data scientists who create them, but to a wide variety of people, regardless of their technical background. You shouldn’t need to be a PhD to understand what’s going on.

Transparency is important for three reasons: trust-building, accountability and ethical insurance.

When users understand how decisions are made, they’re likely to feel more comfortable with what the system is doing and actually use it. A method should be in place to track any problems and hold relevant parties accountable. And when stakeholders are thoughtful about the decisioning and how systems work, and there are no hidden agendas, that sets an ethical bar.

Achieving transparency in these systems is a multifaceted process. 

The first thing is to have explainable AI. You need to invest in the development of models that are capable of providing insights behind the decisions that are made. You can’t expect everybody to trust what’s going on in the black box. 

The second component is clear documentation and communication. That means comprehensive design documents, and comprehensive documentation around the development of the system. What data sources does it use, and why does it use them? How do the key components of the system function? Any links or dependencies to other systems or anything that’s open source should be noted as well. Documentation should be written in a manner that is accessible to a non-technical audience so they can understand how the system operates.

Stakeholder engagement is important throughout the process. First, you want to define who your stakeholders are. They are the people you regularly engage with — your customers, your regulators, your internal staff.  You need to have that defined and have a process for capturing their feedback and addressing any concerns they might have.

Just as you have a security audit, so, too, should you have what I call an ethical audit that attests the system is operating in an ethical and unbiased manner. This type of audit would review and report how decisions are made by the AI. Usually this would be done by a trusted third party that’s used to dealing with AI and ML. Their brief would be to make sure that no biases have been introduced, and to review the governance and all the documentation that goes into transparency and come up with their own conclusion. This is not something you want to do internally, because people who build and use these models often get too close to them. You need an outside opinion.

Transparent data practices are another critical component. The documentation process has to be open about data sources, but you also have to demonstrate how data are going to be used and how you’re going to protect the user’s privacy. You should have clear privacy practices that account for your use of AI and ML. When thinking about privacy, we tend to think about it in the common construct of what information are we collecting, how is that information being used, and do we declare how it’s being used. If we’re using it for AI and ML, we need to be clear about that.

The office that’s doing privacy for your organization needs to have a good understanding of how that model works. And more broadly, you want to make sure that anyone who’s working with AI and ML is trained appropriately. By that I mean not only technology and security training, but also training on what it means to be transparent so that anyone who is part of the development team understands what’s required of them, and not just from a data science perspective.

The last component is regulatory compliance, or making sure you’re adhering to regulations that mandate certain levels of transparency. One such example would be GDPR. You would have to be capable of explaining in plain English how an automated decision was made with regard to a specific individual and how it impacted them.

Transparency is going to be the heart of AI and ML. It really underpins everything because  transparency leads to trust, to accountability and to ethical practices.

Otherwise you’re talking about developing Skynet.

The post Transparency – An Indispensable Element When Deploying AI and ML appeared first on Security Current.

The adoption of artificial intelligence and machine learning is expected to deepen as organizations seek to increase efficiencies. But compromised models could cause financial losses or reputational damage to an organization.

As CISOs, then, it is our mandate to protect the integrity of AI/ML models by creating a security testing and validation program.

To make sure models don’t become unpredictable, it’s essential to test for susceptibility to two main types of attacks — data poisoning and manipulation.

Many models continue to learn once they’re put into use. With data poisoning, an attacker introduces malicious data into the training set to compromise the model’s performance after it is already deployed to get it to act in an unintended manner or to produce results it normally wouldn’t.

With data manipulation, an attacker injects inputs to deceive the model into making a wrong prediction or classification. Imagine an autonomous vehicle mistaking a stop sign for a speed limit sign. The effect could be deadly.

Poisoned or manipulated model can also introduce biases that can lead to unfair or discriminatory outcomes. Security testing will help to maintain that the model hasn’t been tampered with.

Security testing also has regulatory and compliance implications. We are already seeing more and more governments publishing requirements or guidelines around the use of AI and ML. As we see more AI and ML vulnerabilities, we can expect more regulations to follow, perhaps in the form of more specific security standards. If you’ve already set up a security testing and validation program, that should put you in front of some of these evolving standards.

Just as we do threat modeling in security in general, we need to do threat modeling for AI and ML models. Start by understanding what the potential threats are. Who might want to attack the model? Is it someone seeking financial gain? Is it someone looking to do reputation harm to an organization?

By knowing what the threat landscape is, you can put more effective testing and security around your model.

Once the landscape is established, you need to test for data poisoning. One way is to validate the data sources. You want to make sure that all the data sources being used for that model come from reliable verified sources, and that you have controls around who can put that data into production.

The same holds for anomaly detection. You want to have ways to monitor for any anomalies in the training data. Have there been unexpected changes to the data that could indicate poisoning attempts? Aside from monitoring, you want to make sure the model isn’t going to act oddly if it gets a string of code or an inject that wasn’t predicted.

As part of the testing, you want to build adversarial examples. Once you do the threat model, create manipulated inputs to test the model’s robustness against them. Did they compromise the model, or was the model able to successfully reject them?

You also want to make sure you have a means to recognize drift, and do regular updates to help the model defend against it.

In some cases, models need bounds in terms of expected inputs or outputs to limit the potential for harm.

While general testing focusing on performance, operation, ethics and bias avoidance bias needs to be taken into consideration for AI and ML, we also need to focus on preventing bad things from happening with the model. Security needs to be proactive in this space, as an essential component of a good AI and ML program. 

The post The Need for Testing and Validation When Modeling AI and ML appeared first on Security Current.

One of the most critical components for artificial intelligence and machine learning modeling is testing and validation.

Because these models can have such a critical impact on our lives, you want to be able to identify and correct errors, anomalies and biases early. You want to be able to validate the model against predefined benchmarks that were established during the design stage, and make sure it can handle real-world scenarios before you release it to the real world.

You also need testing and validation to gauge regulatory compliance and risk management. 

Various types of testing need to be performed in an AI/ML development lifecycle:

Unit testing: Test the individual components of the AI/ML system in isolation. Check edge cases for unexpected results when handling inputs, and check outputs against expectations.

Integration testing:  While different modules or components of the system may work well in isolation, unexpected things may happen when they are grouped together. Integrate the components one by one to test their interoperability.

Then validate that the information you expect to be flowing between the interconnected  components is actually flowing. For example, is the data retrieval component fetching the right data? Is the algorithm processing data correctly, and is the output appropriate for the entire data stream?

Stress testing: Gauge how the system performs under extreme conditions such as high volumes of data or requests, monitoring it for latency, error rates and resource utilization. If you have a natural language processing model or a chat bot, you might want to simulate it to take thousands of simultaneous user requests. Can it maintain performance? What does it do when it starts to bottleneck? Does it drop things, or is there some ordered way that it’s handling it?

User acceptance testing: This is the stage where actual users start testing it in a real-world environment. Subject a diverse group of users to any kind of realistic scenario and task that the model was designed for.

Before embarking on the testing, it is crucial to establish best practices for implementing the tests.

Automation is key. Use any kind of automated testing frameworks where possible so you can streamline the process and conduct recurring tests efficiently. These automated tools exist, so you don’t have to develop them yourselves.

The next part is something that organizations tend to struggle with: version control. Make sure to maintain versions of your models and data sets so you can track back results if a new version or data set is acting differently from predecessors.

From a regulatory point of view, it is also important to keep a comprehensive log for auditability and compliance.

The last part in the testing regime is setting up the model for continuous monitoring after it is deployed. The system needs to be continuously monitored not just for performance, but to make sure that if there’s any bias or drift, then someone can catch it early and retrain the model. 

Rigorous testing and validation is critical in the development of AI and ML. It’s not something that should be optional. Adherence to testing procedures helps to make sure that the model is reliable, robust and staying within ethical and operational guidelines. 

The post Protecting the Integrity of AI/ML Models appeared first on Security Current.

As we kick off a new year, this is a good time to reevaluate how we look at our cybersecurity programs, and key components that need to be considered.

* The first key component is to understand your audience. Not all employees are created equal. You need to look at how the company is structured. How is the technical team structured? How is the executive team structured? Each different group is going to have potentially different needs. 

Once you’ve identified the target groups, you need to do a skill-level assessment. This doesn’t have to be formalized, but you need to assess what level of cybersecurity knowledge each of those different groups possesses.

* The second major element is setting training objectives. One objective might be generally increasing the awareness of the importance of cybersecurity across the whole organization.
Another might be increasing the secure coding skill of the development team.

Once you’ve set your training objectives, you’ll want to think about how to develop skills. If your goal is to broaden the sense of cybersecurity’s importance, then you’re going to want to train employees on how to identify phishing, or create secure passwords or ensure safe internet browsing. If you’re aiming for secure code development, then it’s about identifying the key languages your organization develops code in and giving developers the basics of secure coding for those languages.

Another component of training objectives is regularly familiarizing employees with the organization’s cybersecurity policies and procedures. That would include reviewing and updating an acceptable use policy if one exists, and spelling out who to contact in the event of a security issue or incident.

* Major element No. 3 is curriculum development. I find that training modules are more effective than all-day training sessions. You can modulize topics like phishing, malware, password protection, secure coding for a certain language, data and privacy laws, and safe browsing habits, and do updates on a monthly or quarterly basis. You’ll want to include real-world examples in these modules to illustrate what the common threats are and how they can impact an organization. You can draw either from your organization’s own experience or that of a competitor or other industry member.  To give people practical experience, follow up with interactive elements like a quiz or a simulation.

* Method of delivery is your fourth major component. If your organization is geographically dispersed, then online training will be the way to go. If not, then you can opt for in-person workshops with a chance for interactive questions. The content has to be updated regularly as threats to the organization change. You can’t recycle something from four years ago and expect it to still be relevant.

* The next major element is implementation. As you’re planning into the year, set the cadence and what the rollout will look like. Some elements, like general awareness training, should have mandatory participation for all employees. Secure code development should be mandatory for developers operating in a specific language. Link to any supporting materials so they have modules or presentations to refer back to.

* And finally, set up a mechanism for post-training evaluation and feedback so you can use that for continuous improvement. Consider incentives and recognition for people who complete the training.

In the long term, you’ll want to revisit your cybersecurity program each year, and update as necessary for compliance or legal or industry standards. Good tracking and reporting will be essential to the program’s success. 

The post Time to Take a New Look at Our Cybersecurity Programs appeared first on Security Current.

Artificial intelligence needs to be deployed in a way that benefits humanity. That requires looking beyond the short-term model to long-term use and AI’s widescale impact on the broader society.

As the use of artificial intelligence and machine learning grows, so, too, will the deployment of automated decision-making systems that could greatly impact well-being, privacy, and livelihood. Organizations must, therefore, develop ethical principles to guide the design, development, and deployment of AI and ML systems to ensure that the power of these technologies is used responsibly.

This is a two-stage process. Stage one is developing the principles. Stage two defines the various core AI ethics principles that will guide the organization.

When developing the principles, the first step is to get multidisciplinary input from a mixed community of ethicists, technologists, legal experts, and sociologists. Representatives of affected communities — for example, health care or finance — also have to be involved to guarantee there’s a comprehensive understanding of the potential implications for its use.

The second step would be a broader public consultation if it’s an AI or ML model that impacts society at large. Public consultations, such as a town hall, can offer insights from ordinary citizens who might be affected while helping to foster trust in the use of AI and ML.

Regularly reviewing ethical principles is critical because AI is evolving so quickly, and they need to remain relevant.

It’s also important to put a feedback mechanism in place to ensure that the AI developers, users, and affected individuals can provide observations and critiques on the AI systems and their implications once they’re deployed. It’s important to know whether the system is working as expected.

When it comes to delineating what the core AI ethics principles should be, the first thing that comes to mind is fairness. The AI model should be designed and trained to avoid bias – something that’s often easier said than done. It needs to provide equitable outcomes regardless of age, gender, race, or any personal characteristics. Proactive steps must be taken to address and rectify any biases that might be inherent in the training data or algorithms.

Transparency is another critical component. Stakeholders and other people impacted by the model should be able to understand how the system works. It’s not enough to have clear documentation of the algorithm and, the data source, and the decision-making process. There needs to be a plain English version that people who aren’t data scientists can understand. Transparency helps users understand the model itself, trust it, and be able to effectively interact with it.

Another critical issue is privacy. To respect the rights of individuals to maintain their privacy, the protection and confidentiality of their data must be ensured through differential privacy mechanisms, such as federated learning or encryption. User data must not be vulnerable to exposure or improper use.

Human oversight is essential. If an automated system errors or acts in an unexpected way, there needs to be human judgment in the loop to be able to intervene or identify that the model is acting improperly and to rectify any damages.

Accountability needs to exist at several levels – one individual cannot be responsible for the entire outcome. There needs to be accountability at the level of development and design and then overall accountability for the model and its use, which probably rises to the corporate executive level. 

Continuous learning and monitoring mechanisms must be in place to track how these models are performing and ensure that they remain aligned with ethical standards over time.

Developing and adhering to ethical principles is more than about preventing misuse. It’s about guiding technology to realize its full potential and serving humanity. As technology continues to blend into all facets of our lives, we need a strong foundation to ensure that it remains an ethical tool for the greater good. 

The post Ethical Principles Must Undergird AI appeared first on Security Current.

The rapid adoption of artificial intelligence and machine learning yields tremendous benefits. But as with any transformational technology that can affect human lives and societal structures, there are attendant governance challenges.

Effective governance of AI and ML requires a blueprint to ensure these technologies are used safely, ethically, and responsibly. Understanding the risks associated with these technologies, such as biases, potential misuse, and privacy concerns, is essential. A governance framework will help ensure our organizations have transparency and accountability in their implementation of AI and ML, and they promote the responsible use of these technologies to avoid misuse or unintended consequences.

Having a framework also helps to build trust among the general public and the organization’s stakeholders regarding the deployment of AI and ML. You need to have a standard against which you will be measured.

Key components you need for an effective AI/ML governance framework include:

* Clear objectives. There should be well-defined goals and principles to ensure that any AI or ML introduced is fair, reduces bias, and adheres to the ethical principles you define.

* Clearly defined roles and responsibilities. You want to make sure that you delineate the roles and responsibilities of those involved in developing, deploying, monitoring, and testing AI models.

* Data management. Guidelines on data collection have to be clearly spelled out. What data are being collected? How are data being stored? How are data being processed? How are they being used?

*Implementing transparency. How do you document the processes? How do you document the algorithms and the data sources that are used? This will help you explain the model and potentially explain decisions it may make if you’re called before a board of directors, congressional committee, or some other regulatory or governing body.  You need to be able to reconstruct what happened, not just from a regulatory point of view, but to ensure there’s nothing wrong with the model.

*Ethical considerations. How do you avoid harm? How do you prevent discrimination and ensure the model produces some societal benefit?

*Regular monitoring reporting. You need to inventory all of your AI/ML applications. You need to be able to evaluate their impacts and ascertain whether they are working as expected. And you need to report these findings to the relevant governance team so it can understand how things are working.

You also want to establish a channel to receive continuous feedback from end users and stakeholders to understand whether the model works as expected or how it could be improved.

If you’re in a regulated industry and your AI and ML have some unwanted effect, that monitoring and reporting process can act as a flight recorder that allows you to retrace how the decision was made. 

Training and education. When organizations rushed to the cloud, there were many mishaps. Information was being exposed publicly because people rapidly entered the field without understanding the nuances. We must apply lessons from that experience when introducing AI and ML. All members of the project team need to have the required knowledge, and they need to be aware of what the governance and ethics criteria are. If they haven’t been trained before, you must provide them with the training.

A word of reassurance: There are some noteworthy governance frameworks out there. You don’t have to build your frameworks from scratch. Existing blueprints include:

* The European Commission’s ethics guidelines for trustworthy AI, which focuses on respect for laws, regulations, ethical principles, and values, as well as the robustness of the system.

* The OECD AI principles, adopted by more than 40 countries, focus on respecting human rights, values, and diversity as you implement these models.

* The Montreal Declaration for a Responsible Development of AI focuses on autonomy, privacy, and other aspects of AI models to ensure they do the right thing.

* Ethically Aligned Design for AI focuses on the ethical aspects of designing autonomous systems, such as considering human rights, well-being, and transparency.

To ensure your governance framework is being implemented correctly, you need the involvement of a broad range of stakeholders: technologists, business leaders, ethicists, and end users.  And because the technology is changing so rapidly, you also need regular review to ensure that the model is still valid and to examine whether there is a better way to do things.

Ensure you have well-documented use cases or specific guidelines for adopting different AI models. A healthcare application would have more stringent data protection and privacy measures than an AI that will help optimize a portfolio.

A practical and comprehensive governance framework will show you’re a good steward of the technology – and that you’re implementing it for the right reasons. 

The post Don’t Rush to AI and ML Without a Governance Framework appeared first on Security Current.

Read David Cass’  latest article as an official member of Forbes Technology Council: 

https://www.forbes.com/sites/forbestechcouncil/2023/06/28/safety-and-soundness-in-ai-and-ml-steps-for-effective-governance/

As artificial intelligence (AI) and machine learning (ML) technology continues to evolve at an unprecedented pace, their implementation in various sectors of business, industry and society has grown exponentially. The value brought by these technologies is immense, from improved efficiency and decision-making to transformative applications in healthcare, finance and transportation. However, the rapid adoption of AI and ML brings safety, soundness and governance challenges.

Ensuring the safety and soundness of AI and ML systems is paramount, as these technologies often make autonomous decisions that can affect human lives and societal structures. At the same time, effective governance of AI and ML technologies is essential to regulate their use, mitigate potential risks and ensure ethical and responsible practices. This article discusses the importance of safety and soundness in AI and ML and the steps an organization should take for effective governance.

The Importance Of Safety And Soundness

The safety of AI and ML technology refers to its ability to operate without causing harm, either by malfunction, error, or misuse. Soundness, conversely, pertains to the reliability of the AI system’s performance and outputs. Both safety and soundness are critical for the following reasons.

• Protection of human life and property: AI systems are increasingly used in safety-critical applications, such as autonomous vehicles, healthcare diagnostics and industrial automation. A malfunction or unreliable performance can lead to accidents, injuries or even loss of life.

• Trust in technology: To accept and adopt AI technology, users need to trust its decisions and actions. This trust can only be established if the system is safe and sound.

• Legal and ethical considerations: Without safety and soundness, AI and ML systems can lead to legal issues and ethical dilemmas, such as privacy invasion, discrimination and violation of human rights.

• Economic Impact: Reliable AI and ML applications lead to better decision making, increased efficiency and more significant financial benefits for organizations. Conversely, unreliable or unsafe systems can lead to significant financial loss.

Steps For Effective Governance Of AI And ML Technologies

Effective governance of AI and ML is a crucial responsibility for organizations. It involves establishing guidelines, policies and procedures that ensure these technologies’ safe, ethical and responsible use. The following are key steps an organization should take:

• Establish A Governance Framework: The framework should outline the roles and responsibilities related to the use of AI and ML technologies, including development, deployment and monitoring. It should also establish guidelines for ethical considerations, privacy and data protection.

• Develop AI Ethics Principles: These principles should guide the design, development and deployment of AI and ML systems. They should address issues such as fairness, transparency, privacy and human oversight.

• Implement Rigorous Testing And Validation: Regular and rigorous testing of AI and ML systems is crucial for ensuring their safety and soundness. It should involve comprehensive validation processes, including unit testing, integration testing, stress testing and user acceptance testing.

• Implement Security Testing And Validation: Including testing the model for susceptibility to poisoning and data manipulation attacks

• Maintain Transparency: Organizations should strive for transparency in their use of AI and ML. This involves explaining the purpose of the AI system, its decision-making process and any potential risks.

• Continuous Monitoring And Auditing: AI and ML systems should be continuously monitored and audited to identify any issues or malfunctions. Regular audits can also ensure the systems adhere to the set policies and guidelines.

• Training And Awareness: Employees should be educated about the ethical use of AI and ML technologies, potential risks and their role in ensuring safety and soundness.

• Stakeholder Engagement: Regular engagement with stakeholders, including employees, customers, regulators and the public, can help identify concerns, gain insights and build trust.

In conclusion, as AI and ML technologies continue to expand, ensuring their safety and soundness and effective governance become increasingly critical. Organizations that proactively address these challenges will be better positioned to reap the benefits of these transformative technologies while minimizing the potential risks. It’s a task that requires continuous effort and vigilance, but it’s a vital part of the path toward a future where AI and ML can be trusted to make decisions that benefit us all.

The post Safety And Soundness In AI And ML: Steps For Effective Governance appeared first on Security Current.

Security is everybody’s job. But how do we get better at training awareness?

The conventional rule of thumb is that if you have a phishing click rate under 10%, that’s supposed to be pretty good. But if you’re a sizable organization and have a click rate of 10%, you still have a pretty big problem.

So it’s our job to figure out how to get our organizations better trained without overburdening employees to the point that they stop listening. 

One key is to keep the messaging short.

The security awareness training that’s usually done once or twice a year lasts anywhere from 45 minutes to two hours. It’s something that needs to be done to make sure everyone in the organization is up to date on any annual changes.

For this broader messaging, I’ve found “lunch and learns” have been useful to bring employees from across the organization together, both to let them know basics about what the security team is doing, and what resources are available to them.

But there is also a need to get out brief messaging, whether monthly or quarterly, to address things that have been going on in the world, such as attacks, or geopolitical developments that could lead to nation-state hacking. These short and sweet messages are critical to get more distribution and increase the likelihood that employees are actually going to pay attention.

I’ve used entertaining, two-minute video snippets covering everything from not getting yourself shoulder-surfed at the airport, to why you shouldn’t be talking about business on your mobile, because you never know who’s in the seat behind you listening.

These mini-trainings should deliver relevant and actionable security tips. Other delivery mechanisms could include a quick email from the CISO on what’s going on in the security world. Whatever the format, I wouldn’t go over two minutes because you’re liable to lose your audience.

Getting the right frequency is also very important. Phishing simulations are crucial. But overphishing can be a counterproductive nuisance.

We need to get the right training to the right people, so one thing to consider is what level of knowledge do different groups of employees require. Privileged users, for example, should have a more formal knowledge assessment to make sure they understand what the potential threats or issues are with their having privileged access.

Another central factor is the tone at the top: If employees don’t see senior management living and setting the example, then training awareness is almost irrelevant. It doesn’t matter how many tools you have, if the senior execs don’t lead by example, it’s not going to be followed.

Companies might also consider having some kind of monitoring in place to follow potentially exposed credentials. If you’re doing any kind of dark web monitoring, whether in house or under contract with another firm, then if employee credentials are found outside the network, that could give you an idea of whether your company is rising as a potential attack vector.

It’s not enough, though, to put training awareness programs in place: We also need to find ways to gauge their effectiveness. We all report phishing metrics, but what other metrics should we be reporting? Proactive reporting on the part of employees would be a valuable addition.

Once these mini-trainings have been introduced, they may give you a better metric to say that risk scores have improved. Being able to measure the effectiveness of a training program will be a good tool when you report your team’s achievements to management.

And who knows, that might ultimately translate to your budget.

The post Lean Times Demand Creative Approach to Training appeared first on Security Current.