Security experts have been plagued by the boogeyman of shadow IT for as long as security teams have existed. Now, just when CISOs think they are starting to get a handle on it, here comes a new threat – shadow AI.
Business leaders, dev teams, marketing teams – everybody wants to take advantage of AI. This means that like it or not, AI is here to stay. Now it is up to security leaders to take control of shadow AI to ensure that the business embraces AI securely.
At last month’s Security Insight Summit, our panel of experts took to the stage to share how their organizations were tackling the risks around shadow AI.
Joined by Mike Welna, Director of Information Security at Boys Town, Dana Turner, CISO at Union Bank & Trust, and Ryan Shea, Senior Business Value Consultant at Wiz, this is what they had to say.
Detecting shadow AI
How do you protect yourself from what you aren’t aware of? Visibility is step one. It’s one thing to use a firewall to identify the commonly used generative AI tools, but there is much more to AI than just those websites.
You need to find out what AI means in your organization, if you don’t, you’re going to be in trouble.
– Dana Turner, CISO at Union Bank & Trust
Organizations are desperate to embrace AI, but the risks emerge when security have no oversight of where and how AI is being used. A Cloud Access Security Broker is a powerful tool for identifying your shadow AI risk, but it’s not the only solution. It feels old fashioned, but speaking to the teams within your organization is as good a way to uncover shadow AI as any other.
In the interest of maintaining oversite of AI usage, our panel had seen success by establishing a sanctioned AI tool. Doing this allows security teams to focus their training and risk management efforts around one tool as opposed to several. If anybody wants or needs to access another tool, track it. Use exception requests to ensure that any AI outside your sanction being used is known and controlled.
Staying adaptable to AI risk
It’s not enough for security leaders to offer a secure AI solution and stop there. What do you do when one day one of your existing tools updates and, surprise, it now has an AI integrated? The unfortunate reality is that the security optics around AI aren’t good.
To move forward, security leaders need to treat AI in the same way as any other cloud service. Incorporate it into your existing risk management framework, run risk assessments, and support implementation with continuous training and education.
Working together to tackle shadow AI
Security teams want to say yes to AI. Security exists to enable the business, not hold it back. By having these open and honest conversations around AI, security teams can start to establish the governance they need while enabling the business to innovate fast. The truth is, if you try to prevent those within your organization from using AI, you are only fuelling the shadow AI fire.
Telling your organization not to use AI is like telling a high school student not to use a calculator.
– Mike Welna, Director of Information Security at Boys Town
If your business is pushing for AI, you need to discuss the realities of it with senior leadership. It is often those with the most power who are most ignorant to the risks. Inform your business leaders of the risk and secure their buy-in from a security perspective. From there, it really can be as simple as “your team wants to do X? OK, let’s sit down and look at it together.”
From shadow AI to secure AI
Our current AI landscape is a bit like the wild west. Everyone wants to take advantage of AI and security teams are left to make it happen. Whether you choose to lock down AI, offer a sanctioned AI option, or give your teams free reign, common sense security will prevail.
Don’t go all in, be mindful around these technologies and do your due diligence in the same way you would for any other new technology.
Interested in joining the conversation? For more insights like this, check out our upcoming security events here.
