In this candid conversation, Nikk Gilbert, Chief Information Security Officer at RWE, shares his perspective on zero risk myths, burnout, organizational pace, and why resilience is the real strategy. His answers are unfiltered and grounded in decades of frontline experience.

Q: Can a company ever really achieve zero risk if it spends enough?

“No company can achieve absolute zero risk — but what you can achieve is the confidence that when incidents happen, you’re prepared, tested, and ready to respond effectively. That is real strength, and that’s where investment truly pays off.”

Q: Burnout is a huge problem in your role. How do you avoid it?
“This role is demanding, but sustainability matters. I’ve learned that balance doesn’t mean counting hours — it means energy management. I aim for work-life harmony. When I’m at work, I’m fully engaged. When I disconnect, I recover. That rhythm keeps me sharp, and it means the company gets my best, consistently.”

Q: What should boards and executives really hear from a CISO?
“Boards deserve clarity. They need to know that cyber risk is not about perfection but preparation. Attackers will always try — what matters is that the company has the right plans, people, and response capability. With strong preparation, we keep the narrative under control: RWE is resilient, capable, and never caught off guard.”

Q: What about organizational speed?
“Every organization has its natural pace. The goal of a CISO is not to fight that, but to align with it and still move forward steadily. A battleship doesn’t turn quickly, but once it turns, it’s unstoppable. That’s the power of discipline and direction.”

Q: At the end of the day, how do you see your role?
“Cybersecurity is one part of a much larger machine. Our job is not to be the center of attention, but to quietly ensure resilience is built into the company’s DNA. When risk becomes reality, our role is to steady the ship and protect trust. That’s leadership in action, even if it’s behind the scenes.”

The post There’s No Such Thing as Zero Risk: A Conversation With Nikk Gilbert, RWE CISO appeared first on Security Current.

In times of economic uncertainty and downturn, many organizations look to pare costs by going after cybersecurity. But this attempt to save money at a time when the attack landscape is rapidly expanding could end up costing an organization heavily in terms of cash, reputation and compliance. 

Cybersecurity pays dividends time and again by protecting organizations against breaches or attacks that get out of hand. Many organizations, however, are still locked into the mentality that sees cybersecurity as a cost to the organization instead of an enabler. And if they haven’t had a major breach, then they feel that they are doling out money without getting anything in return.   

That is a shortsighted approach. As cybersecurity leaders, we aim to reduce cybersecurity debt because of the risk it poses. But in times of belt-tightening, cyber debt almost inevitably increases, adding even more risk to the organization. When funding gets reduced, security initiatives and headcount both suffer. And with everyone taking on more work, mounting pressure means staff is going to buckle under the strain, and things will slip by.  

What’s more, rocky economic periods are prime time for adversaries. Doors open to malicious actors when an organization seeks to cut costs by shifting its focus away from practicing cyber hygiene, reducing security debt, and positioning cybersecurity as a key driver to the business and its goals. 

Organizations therefore need nuanced conversations to think through the various risks involved in cost cuts, because cybersecurity outlays are not a yes/no conversation. 

Two high-profile companies exemplify the case in point. Equifax pulled back on security and wasn’t focusing on the fundamentals of cyber hygiene. It took its eye off the ball — and that breach cost the company $1.4 billion in losses, plus an incalculable amount in reputational damage.  

On the opposite end of the spectrum, IBM saw the writing on the wall and invested in cybersecurity, understanding it could be an enabler and a differentiator.  Even during economic uncertainty and downturn, it stayed focused on making cybersecurity one of its largest enterprises. Today, IBM is a huge cybersecurity vendor, with $1 billion in annual revenue from that sector and trusted by Fortune 100 companies as a premier go-to for cybersecurity solutions. 

As cybersecurity leaders, we understand that the question is not if a breach will occur, but  when, and that’s why we’re warning against false economy. A sizable cyber incident costs $4.5 million on average, and for small companies – which constitute the overwhelming percentage of businesses – the outcome could be devastating.  

And cyber insurance won’t necessarily be able to step into the breach. If the insurer determines that the cybersecurity cuts prevented the organization from taking reasonable precautions and due care, then the incident may not be covered.  

Recovery from a major incident can be devastating to companies of all sizes, not only in terms of immediate financial loss, but in its lasting disruption to an organization’s momentum. It drains FTE capacity, redirects critical resources, and forces leadership to abandon strategic initiatives in favor of crisis response. Teams are pulled away from innovation and growth to focus on operational triage, prolonged investigations and rebuilding customer trust. The ripple effects can stall business goals for quarters – or even years — undermining competitiveness, morale and long-term value creation.  

The urge to cut cybersecurity budgets directly conflicts with the growing regulatory pressure for stronger security practices. As investment shrinks, risk rises, putting organizations on a collision course with compliance failures. This tension between cost cutting and increased scrutiny is unsustainable, and will eventually result in missed audits, regulatory violations and costly penalties. 

Over the past two years, the cybersecurity landscape has fundamentally transformed. The explosion of digital innovation – driven by AI, the proliferation of SaaS applications, the surge in IoT adoption, and the expanding web of third- and nth-party relationships – has dramatically widened the attack surface. At the center of this shift is a new kind of arms race, with both adversaries and enterprises racing to integrate AI and automation into every facet of their operations. The result is a volatile, high-stakes environment where the speed and scale of risk are unlike anything we’ve seen before.  

While we on the cybersecurity side use AI to try to better protect and drive business, our adversaries are using it to mount bigger, better and faster attacks. Bad actors no longer need farms of people. Increasingly sophisticated AI-generated calls and emails have made social engineering, the easiest avenue of attack, much harder to detect. Information security has long been a challenging uphill effort, but the rapid acceleration of AI is significantly amplifying that challenge. As AI increases the scale, speed and sophistication of potential threats, the demands on security teams – and the risks to the business – are growing exponentially. What was once a manageable climb is now a steep and accelerating ascent that requires strategic investment and board-level attention.  

The rapid proliferation of SaaS applications across enterprises has introduced significant security risks. Many of these tools are onboarded without proper configuration, oversight, or alignment to the organization’s security policies. Without a clear owner to manage and maintain them, these applications often become blind spots – leaving sensitive data exposed and increasing the risk of data exfiltration, misconfigurations and compliance failures.   

In today’s resource-constrained environment, managing the growing array of security risks has become increasingly difficult. Lower-priority items on the risk register – such as third-party vendors, often receive less attention, yet they frequently become the very pathways adversaries exploit. Without consistent oversight and rigorous security assessments, third- and nth-party relationships can introduce hidden vulnerabilities that undermine even the most mature security programs.  

While cost cutting is an unfortunate reality during times of economic uncertainty, cybersecurity should not be the first place to trim. As CISOs, we continuously evaluate how to streamline, simplify and optimize our environments. But reduction in security investment must be approached with nuance – not as blanket cuts, but as risk-based decisions rooted in the realities of the evolving threat landscape. These conversations must go beyond “cut or not” and involve leadership across the business, with CISOs at the table. Security leaders are uniquely positioned to help identify areas where efficiencies can be gained without compromising protection. Key opportunities include driving automation with InfoSec oversight, streamlining manual processes, and eliminating tool sprawl through platform consolidation, Additionally, revisiting underperforming contracts and reducing duplicative third-party engagements can yield meaningful savings while maintaining control and visibility.  

Cybersecurity, when embedded strategically, is a force multiplier – not a cost center. It protects operational resilience, builds trust with customers and investors, and enables the business to move faster and more confidently in a volatile market. That’s why security leaders must be part of every strategic business discussion – not just to defend the budget, but to help shape the future.  

 

The post Beware the False Economy Trap appeared first on Security Current.

Artificial intelligence has ignited an arms race for trust, and security leaders need to reassess their defense strategies.

Bad actors are trying to build trust around their deep fakes or re-engineered content. At the same time, we, as defenders, want to build trust in our data and the relationships we have.

Embedding trust is a conundrum. As security leaders, we encourage skepticism and distrust of messages that land in an employee’s inbox or phone. At the same time, we want employees to trust what’s coming from us internally, and trust in the systems we use.

So there is a tension between enlisting employees to be a line of defense while asking them to trust in processes and systems that we are putting in place, and in the data we make available to them to do their jobs.

A recent study from Salesforce discovered that confidence in company data is falling. Just 40% of business leaders rate their company data as reliable, 36% have faith in its accuracy, and 34% believe it’s complete. That’s significantly down from a 2023 survey that showed 54% found the data to be reliable, 49% said it was accurate, and 34% assessed it as complete.

With today’s technology, it’s become fairly easy to leverage public content to use somebody’s voice to create other content or to authenticate themselves into a system that uses voice authentication. Additionally, there are images out there that are extremely difficult to distinguish from the real thing. The barrier of entry to create this AI-generated content has become quite low, as capabilities around creative content are becoming more accessible, cheaper and faster.

Bad actors are also leveraging AI to conduct very targeted and increasingly sophisticated phishing campaigns. You no longer see the general signs of phishing and spam markers, like misspellings. So the traditional security awareness around that isn’t working anymore because these very targeted and well crafted emails can be created and dispersed quickly, cheaply and at scale using AI platforms.

Bad actors are also starting to develop agentic AI capabilities, deploying bots that are running semi-autonomously or autonomously, leveraging data sets and large language models to generate their own content. Down the line bots will be trained to create these attacks, without need for human intervention.

As security leaders, we cannot afford to be entrenched in what we’ve been doing until now. Sometimes we’re constrained because we’re heavily invested in older solutions that are hard to displace. But to the extent that some flexibility exists, we need to be looking at new solutions to combat a new set of threats. 

A raft of security products have flooded the market in an attempt to combat or defend against these AI-related developments, but their track record has been spotty.

The area where capabilities are most mature is in the email defense space, where new players are developing products based on the same technologies that the bad actors are using to help detect some of the more sophisticated AI-generated spearfishing attacks. 

Typically what I’ve seen are API-based solutions that plug directly into the email suite and quickly process information as it lands in the inbox. We don’t want to slow down email delivery, or have people clicking on links before the email can be analyzed. So we need to consider a solution’s speed and scalability, as well as its ability to identify user behavior and take action post delivery.

Another thing to look out for is what players mean when they tout their AI capabilities. Is it really AI, or is it machine learning? It’s probably a combination of both. But you need to dig in to ascertain whether they are truly using AI and how that might affect your organization. Are they using your data to train their model? Is your data being exposed to other companies on their SaaS platform? What models are they using?
What are they willing to share with you about how they leverage those models?

I haven’t seen much progress around deep fakes and voice recognition. Some of the developers are tackling this from an identity standpoint, but the space remains immature. 

As organizations plan to defend themselves against AI-assisted bad actors, relationship building within the enterprise is crucial. It can be as simple as having a roadshow around different offices to talk about the technology and security programs that are in place. Solicit feedback, and show how you’re using that feedback to build trust in the relationship between employees and the technology, security and systems they’re using.

Digital users cannot bury their heads in the sand around artificial intelligence and its implications. We don’t need to become AI experts, but we do have to understand its capabilities and understand the terminology. Don’t brush it off as something that’s not going to completely change the world we live in, because it will. 

Just recently, Shopify CEO Tobi Lutke told his staff that no new hires will be made unless they can prove AI can’t do the job. 

If we, as security leaders, understand what AI is and start to work with it, that will help raise the tide for everybody.

The post An AI-Propelled Arms Race For Trust Requires New Thinking On Security appeared first on Security Current.

Demand for skilled security professionals remains strong, but it’s being tested by the economic uncertainty that accompanies an election cycle.

Economic uncertainty typically spurs companies to cut spending, and many consequently have either had big layoffs or major restructurings. That’s probably leading to hiring freezes until companies sort out where they stand internally. Executives may also be shifting priorities, and reevaluating security needs while they explore how to optimize current staffing before bringing in very skilled new hires.

If you’re a CISO looking for a new role in this climate, you should probably be thinking about four things:

Highlight the value you bring: Showcase your experience in managing security, mitigating risks, adopting to an evolving threat landscape, and your experience with budgets. One of the keys to building a case for your candidacy is thinking about what type of CISO you are. Are you a CISO who is good at being a builder, the early-on security hire who essentially must do everything while building the organization? Or are you a good security operator, who’s very good with budgets and security operations, and can take an existing program and continue to develop it? Or maybe you’re a transformer, the type of CISO who comes in post-breach or post-incident to an organization that needs a major security overhaul?

Figuring out what type of CISO you are will help you to frame your strengths best.

So, too, will figuring out what size organization you’re suited for. If you’re used to managing a lot of people, odds are that the startup world isn’t for you because there you’d be doing everything until the startup reaches critical mass. When you’re creating your CV, there will be different things to highlight depending upon the size of the organization you’re looking at, and whether it needs to be built from the ground up or transformed.

Understand the industry you’re looking at:  How do you highlight your industry knowledge? Some sectors are highly regulated, while others are not. Understanding the specific security challenges for the industry you’re looking at is crucial.

How do you network strategically as a CISO? Do you attend industry events? Are you connecting with your peer CISOs at different groups? Are you connecting to different recruiters? Oftentimes, other CISOs become aware of certain job openings even before recruiters do. How you build and leverage your network is important, as is the kind of brand that you bring to your network.

Demonstrate you’re current with the appropriate skills: Security is one of those industries where you need to be a continuous learner or you get left behind. You need to demonstrate your commitment to continuous learning by staying on top of technological developments and changes, such as cloud technology, blockchain or AI.

Compensation for security professionals varies widely. If you’re looking for a seven-figure opportunity, you need to understand that there are far fewer of those than there are going to be mid-market. Competition will also be fierce. The big determinant of salary is not only the experience you bring to the table, but also, the size and scale of the organization you’re looking at. Not all CISO roles are created equal in terms of authority and scope of operations.

Many organizations are now looking for CISOs because they understand they need them, but some might be offering compensation that’s below the average market value because they don’t have an understanding of the role. In those cases, it’s the job of the recruiter or HR to help them do an accurate discovery of where salaries are and help the company level-set expectations.

Within the past four or five years, there’s been an improvement in the specialist salary reports that are being published. But most organizations buy a generic IT salary report, and those do not tend to be a good reflection of security salaries. Consequently, HR is not necessarily getting the best data from outside since it’s not looking for security-specific salary reports.

Because of the new SEC regulations on security, demand for CISOs will increase. One of the big considerations candidates need to take into account is whether they will have the accountability and the authority to actually get the job done. Where does the CISO report in the organization? If there is a regulatory requirement, I would be fairly hesitant about taking a role where messaging has to go through multiple levels of management before it gets to the right person.

As always, finding the right opportunity is key to any job search.

The post Consider This When Looking for a New Role appeared first on Security Current.

AI and ML systems need ongoing oversight to ensure their performance remains ethical, optimal and functioning within an anticipated operational threshold. System decisions, algorithms and data sources also need to be systematically evaluated to ensure compliance with internal policies or external regulations, ethical standards and organizational objectives.

In combination, the importance of doing both continuous monitoring and auditing is to assure performance. To make sure the system is performing as expected, you need some form of risk mitigation to help identify risks early. Are there biases? Are the productions incorrect? Are you potentially having data privacy issues?

And lastly, you need to take steps to make sure the public has trust in the system. Continuous monitoring and auditing is another means of assuring trust to key stakeholders that the system is functioning and there is accountability for it.

Following are key steps and strategies that need to be taken to implement effective monitoring and auditing:

* Set out clear metrics and KPIs to define what successful operation of the AI and ML model means.  These metrics should provide reasonable insights around things such as accuracy, fairness, privacy or any other essential criteria.

* Figure out how to implement real-time monitoring tools. There is a lot of software out there that can track the system’s operation in real time.  You want to make sure it is able to flag anomalies, alert changes in performance, and detect change in usage or patterns. This will allow you to set alerts based on your monitoring criteria.

* Have an independent party conduct regular audits. You don’t want the team that’s created the model and put it into production to do the audit. You want an internal or external audit group who can take an unbiased look. If it’s an internal group, it must have the right level of expertise so it doesn’t have to rely on the AI team to understand what’s going on. You want unbiased auditors who can review the usage of algorithms, the data sources, the decision-making process, and whether it is compliant with regulations and ethical standards the organization has defined.

* Establish a continuous loop to give the AI and ML teams feedback from monitoring and auditing. Put a mechanism in place to action and follow up on any issues that might be found.

* Set out guidelines for transparency and reporting. Reporting should go to stakeholders and cover things such as the validity of data sources, any findings, and any potential biases. Accountability requires that any findings go to the right level, and not just to the team that’s designing and operating the model. Perform an ethical compliance check to make sure operations are following ethical guidelines. That would involve assessing the model for its decisions to make sure there is no potential bias or discrimination inherent in the system.

* Assess data quality. Continuously monitor to assure that data sources used in the model are still relevant and that there is quality control around those data sources. If you are using bad data to train an AI model, rest assured you’re going to have a bad outcome.

* Implement security monitoring to detect any potential breaches, vulnerabilities or abuse of the model.

* Make sure the auditing and monitoring team is trained by the appropriate external sources to spot potential issues. They need to be updated on the latest regulations, and understand what best practices are in the use of AI and ML.

Continuous monitoring and regular auditing are key parts of AI and ML. It’s not something you do once and hope for the best. 

The post Implementing Effective AI and ML Monitoring and Auditing appeared first on Security Current.

The adoption of artificial intelligence and machine learning is expected to deepen as organizations seek to increase efficiencies. But compromised models could cause financial losses or reputational damage to an organization.

As CISOs, then, it is our mandate to protect the integrity of AI/ML models by creating a security testing and validation program.

To make sure models don’t become unpredictable, it’s essential to test for susceptibility to two main types of attacks — data poisoning and manipulation.

Many models continue to learn once they’re put into use. With data poisoning, an attacker introduces malicious data into the training set to compromise the model’s performance after it is already deployed to get it to act in an unintended manner or to produce results it normally wouldn’t.

With data manipulation, an attacker injects inputs to deceive the model into making a wrong prediction or classification. Imagine an autonomous vehicle mistaking a stop sign for a speed limit sign. The effect could be deadly.

Poisoned or manipulated model can also introduce biases that can lead to unfair or discriminatory outcomes. Security testing will help to maintain that the model hasn’t been tampered with.

Security testing also has regulatory and compliance implications. We are already seeing more and more governments publishing requirements or guidelines around the use of AI and ML. As we see more AI and ML vulnerabilities, we can expect more regulations to follow, perhaps in the form of more specific security standards. If you’ve already set up a security testing and validation program, that should put you in front of some of these evolving standards.

Just as we do threat modeling in security in general, we need to do threat modeling for AI and ML models. Start by understanding what the potential threats are. Who might want to attack the model? Is it someone seeking financial gain? Is it someone looking to do reputation harm to an organization?

By knowing what the threat landscape is, you can put more effective testing and security around your model.

Once the landscape is established, you need to test for data poisoning. One way is to validate the data sources. You want to make sure that all the data sources being used for that model come from reliable verified sources, and that you have controls around who can put that data into production.

The same holds for anomaly detection. You want to have ways to monitor for any anomalies in the training data. Have there been unexpected changes to the data that could indicate poisoning attempts? Aside from monitoring, you want to make sure the model isn’t going to act oddly if it gets a string of code or an inject that wasn’t predicted.

As part of the testing, you want to build adversarial examples. Once you do the threat model, create manipulated inputs to test the model’s robustness against them. Did they compromise the model, or was the model able to successfully reject them?

You also want to make sure you have a means to recognize drift, and do regular updates to help the model defend against it.

In some cases, models need bounds in terms of expected inputs or outputs to limit the potential for harm.

While general testing focusing on performance, operation, ethics and bias avoidance bias needs to be taken into consideration for AI and ML, we also need to focus on preventing bad things from happening with the model. Security needs to be proactive in this space, as an essential component of a good AI and ML program. 

The post The Need for Testing and Validation When Modeling AI and ML appeared first on Security Current.

One of the most critical components for artificial intelligence and machine learning modeling is testing and validation.

Because these models can have such a critical impact on our lives, you want to be able to identify and correct errors, anomalies and biases early. You want to be able to validate the model against predefined benchmarks that were established during the design stage, and make sure it can handle real-world scenarios before you release it to the real world.

You also need testing and validation to gauge regulatory compliance and risk management. 

Various types of testing need to be performed in an AI/ML development lifecycle:

Unit testing: Test the individual components of the AI/ML system in isolation. Check edge cases for unexpected results when handling inputs, and check outputs against expectations.

Integration testing:  While different modules or components of the system may work well in isolation, unexpected things may happen when they are grouped together. Integrate the components one by one to test their interoperability.

Then validate that the information you expect to be flowing between the interconnected  components is actually flowing. For example, is the data retrieval component fetching the right data? Is the algorithm processing data correctly, and is the output appropriate for the entire data stream?

Stress testing: Gauge how the system performs under extreme conditions such as high volumes of data or requests, monitoring it for latency, error rates and resource utilization. If you have a natural language processing model or a chat bot, you might want to simulate it to take thousands of simultaneous user requests. Can it maintain performance? What does it do when it starts to bottleneck? Does it drop things, or is there some ordered way that it’s handling it?

User acceptance testing: This is the stage where actual users start testing it in a real-world environment. Subject a diverse group of users to any kind of realistic scenario and task that the model was designed for.

Before embarking on the testing, it is crucial to establish best practices for implementing the tests.

Automation is key. Use any kind of automated testing frameworks where possible so you can streamline the process and conduct recurring tests efficiently. These automated tools exist, so you don’t have to develop them yourselves.

The next part is something that organizations tend to struggle with: version control. Make sure to maintain versions of your models and data sets so you can track back results if a new version or data set is acting differently from predecessors.

From a regulatory point of view, it is also important to keep a comprehensive log for auditability and compliance.

The last part in the testing regime is setting up the model for continuous monitoring after it is deployed. The system needs to be continuously monitored not just for performance, but to make sure that if there’s any bias or drift, then someone can catch it early and retrain the model. 

Rigorous testing and validation is critical in the development of AI and ML. It’s not something that should be optional. Adherence to testing procedures helps to make sure that the model is reliable, robust and staying within ethical and operational guidelines. 

The post Protecting the Integrity of AI/ML Models appeared first on Security Current.

As we kick off a new year, this is a good time to reevaluate how we look at our cybersecurity programs, and key components that need to be considered.

* The first key component is to understand your audience. Not all employees are created equal. You need to look at how the company is structured. How is the technical team structured? How is the executive team structured? Each different group is going to have potentially different needs. 

Once you’ve identified the target groups, you need to do a skill-level assessment. This doesn’t have to be formalized, but you need to assess what level of cybersecurity knowledge each of those different groups possesses.

* The second major element is setting training objectives. One objective might be generally increasing the awareness of the importance of cybersecurity across the whole organization.
Another might be increasing the secure coding skill of the development team.

Once you’ve set your training objectives, you’ll want to think about how to develop skills. If your goal is to broaden the sense of cybersecurity’s importance, then you’re going to want to train employees on how to identify phishing, or create secure passwords or ensure safe internet browsing. If you’re aiming for secure code development, then it’s about identifying the key languages your organization develops code in and giving developers the basics of secure coding for those languages.

Another component of training objectives is regularly familiarizing employees with the organization’s cybersecurity policies and procedures. That would include reviewing and updating an acceptable use policy if one exists, and spelling out who to contact in the event of a security issue or incident.

* Major element No. 3 is curriculum development. I find that training modules are more effective than all-day training sessions. You can modulize topics like phishing, malware, password protection, secure coding for a certain language, data and privacy laws, and safe browsing habits, and do updates on a monthly or quarterly basis. You’ll want to include real-world examples in these modules to illustrate what the common threats are and how they can impact an organization. You can draw either from your organization’s own experience or that of a competitor or other industry member.  To give people practical experience, follow up with interactive elements like a quiz or a simulation.

* Method of delivery is your fourth major component. If your organization is geographically dispersed, then online training will be the way to go. If not, then you can opt for in-person workshops with a chance for interactive questions. The content has to be updated regularly as threats to the organization change. You can’t recycle something from four years ago and expect it to still be relevant.

* The next major element is implementation. As you’re planning into the year, set the cadence and what the rollout will look like. Some elements, like general awareness training, should have mandatory participation for all employees. Secure code development should be mandatory for developers operating in a specific language. Link to any supporting materials so they have modules or presentations to refer back to.

* And finally, set up a mechanism for post-training evaluation and feedback so you can use that for continuous improvement. Consider incentives and recognition for people who complete the training.

In the long term, you’ll want to revisit your cybersecurity program each year, and update as necessary for compliance or legal or industry standards. Good tracking and reporting will be essential to the program’s success. 

The post Time to Take a New Look at Our Cybersecurity Programs appeared first on Security Current.

Cybersecurity thrives on networking and collaboration. It’s crucial to interact with peers to share critical information, attack vectors and things you’ve experienced.

Peer networking groups are a great way to do that. They allow you to understand what great looks like, and to identify things that you can take back to your own organization to improve what you do.

In our industry, you can always reach out to peers for lessons and insights. But larger peer networking groups allow you to do that in a much more consolidated space where you can get opinions and thought leadership from lots of different people  – and share the lessons you’ve learned throughout your career. 

One of the reasons I decided to get involved with CISOs Connect in particular was because I found it to be an exceptional peer networking group that was focused on helping CISOs explore things outside of their day-to-day responsibilities. I like that you can learn about how to manage various legal challenges, how to deal with various regulatory issues, how to navigate aspects of your career and how to negotiate your compensation.

I don’t think there’s any other industry that thrives on shared experience and lessons learned more than the technology industry, because there are 500 ways to do what we do. There’s no one right way to solve a problem. And for that reason I think it’s critical that people take the time to network with peers and learn from their experiences, mistakes and successes.

When I think about what makes for a good peer networking group, I think diversity is Number 1.  A diverse group will give you insights from different people and different ideas and different industries. It also offers opportunities to learn from people at different stages of their careers.

For me, networking is part of the continuous learning we should all be involved in. I know some people say, how can I justify spending tens of thousands of dollars a year on this? You can justify it because it’s essential training not only for you, but also for your organization. If you have a budget for continuous learning – and you definitely should – there should be a provision for helping top performers in your shop attend networking events and trainings.

Insights gleaned from these peer networking meetings should be taken back to your board or other executives. It’s one thing to tell people you believe a certain track is the right way to go. It’s another to be able to share someone else’s experience. If you can take the experiences of others and relate them to something meaningful for your organization, there’s nothing more powerful.

The potential outcomes will help the company be able to better protect itself.

Peer networking groups also help companies by giving them exposure. Exposure makes hiring easier and also opens new pools of candidates. I can say for a fact that I see more women and more minorities in our industry thanks to these networking groups.

And of course, networking is always useful in moving along a career path. Peer groups give you an idea of the networks you need to build to potentially get to your next job – and to help non-executives in your shop progress on their growth cycle.

Presenting future leaders in our organizations with ways to interact with other professionals who could help their careers progress is a responsibility we all have as leaders. It’s painful to lose a great employee, but providing them with that sort of support is really important.

While industry groups are great, the wider tech and security peer networking groups are the most powerful. Sometimes your best ideas on how to execute a technology plan or solve a technology problem or manage a certain aspect don’t come from your industry.

Getting involved in a peer group that brings people together from different industries makes it possible for you to get ideas and thoughts outside of the everyday space that you operate in. And there’s a lot of power in that.

The post Peer Networking: It Helps You Understand What Great Looks Like appeared first on Security Current.

Artificial intelligence needs to be deployed in a way that benefits humanity. That requires looking beyond the short-term model to long-term use and AI’s widescale impact on the broader society.

As the use of artificial intelligence and machine learning grows, so, too, will the deployment of automated decision-making systems that could greatly impact well-being, privacy, and livelihood. Organizations must, therefore, develop ethical principles to guide the design, development, and deployment of AI and ML systems to ensure that the power of these technologies is used responsibly.

This is a two-stage process. Stage one is developing the principles. Stage two defines the various core AI ethics principles that will guide the organization.

When developing the principles, the first step is to get multidisciplinary input from a mixed community of ethicists, technologists, legal experts, and sociologists. Representatives of affected communities — for example, health care or finance — also have to be involved to guarantee there’s a comprehensive understanding of the potential implications for its use.

The second step would be a broader public consultation if it’s an AI or ML model that impacts society at large. Public consultations, such as a town hall, can offer insights from ordinary citizens who might be affected while helping to foster trust in the use of AI and ML.

Regularly reviewing ethical principles is critical because AI is evolving so quickly, and they need to remain relevant.

It’s also important to put a feedback mechanism in place to ensure that the AI developers, users, and affected individuals can provide observations and critiques on the AI systems and their implications once they’re deployed. It’s important to know whether the system is working as expected.

When it comes to delineating what the core AI ethics principles should be, the first thing that comes to mind is fairness. The AI model should be designed and trained to avoid bias – something that’s often easier said than done. It needs to provide equitable outcomes regardless of age, gender, race, or any personal characteristics. Proactive steps must be taken to address and rectify any biases that might be inherent in the training data or algorithms.

Transparency is another critical component. Stakeholders and other people impacted by the model should be able to understand how the system works. It’s not enough to have clear documentation of the algorithm and, the data source, and the decision-making process. There needs to be a plain English version that people who aren’t data scientists can understand. Transparency helps users understand the model itself, trust it, and be able to effectively interact with it.

Another critical issue is privacy. To respect the rights of individuals to maintain their privacy, the protection and confidentiality of their data must be ensured through differential privacy mechanisms, such as federated learning or encryption. User data must not be vulnerable to exposure or improper use.

Human oversight is essential. If an automated system errors or acts in an unexpected way, there needs to be human judgment in the loop to be able to intervene or identify that the model is acting improperly and to rectify any damages.

Accountability needs to exist at several levels – one individual cannot be responsible for the entire outcome. There needs to be accountability at the level of development and design and then overall accountability for the model and its use, which probably rises to the corporate executive level. 

Continuous learning and monitoring mechanisms must be in place to track how these models are performing and ensure that they remain aligned with ethical standards over time.

Developing and adhering to ethical principles is more than about preventing misuse. It’s about guiding technology to realize its full potential and serving humanity. As technology continues to blend into all facets of our lives, we need a strong foundation to ensure that it remains an ethical tool for the greater good. 

The post Ethical Principles Must Undergird AI appeared first on Security Current.