The AI Advantage: Harnessing AI for Security Risk Management

In anticipation of GSX, we sat down with presenters of upcoming sessions in order to get a better understanding of the topics at hand. This week we are featuring, “The AI Advantage: Harnessing AI for Security Risk Management,” presented by Andrew Sheves, founder of DCDR Risk. Read on for what he had to say and don’t forget to register for GSX 2024!

Q: How did you become interested in your topic?  

A: I’ve always been interested in how technology can improve our work as security risk managers. When I started in the commercial sector almost twenty years ago, I started building risk assessment templates in Excel and plan frameworks in PowerPoint and Word, with the intent of removing as much of the repetitive ‘busy work’ from the user as possible and cutting down on errors.  

I moved on to experimenting with simple applications and saw how these could make an enormous difference to our work, but the introduction of widely available services like ChatGPT 3 really opened my eyes to what might be possible. 

Incorporating these tools into the DCDR workflows has accelerated things far more than I could have imagined. I expected a 3-5x improvement, but I now have processes that would take 2-3 days manually, completed in less than 10 minutes with very little difference in quality. 

So I’m more excited than ever about the benefits we as an industry can realize from these new technologies. They have such a substantial force multiplier/accessibility benefit: it’s like having several additional team members or an extra decade or two of experience. I’m keen to see as many people as possible have access to best-in-class risk, security, and crisis tools. I think these technologies are genuine game changers. 

Q: Tell us about your presentation and why security professionals should have this topic on their radar.  

A: AI is the next significant technology shift following web, mobile, and cloud, so there’s no escaping it. Whether you have to use the tools, are part of the buying decision, or adapt to your organization’s adoption of AI, you need to understand enough about the topic to engage effectively. Even if the ultimate decision is not to use these tools, it must still be a thoughtful informed decision. 

Even though I don’t cover this in detail, AI can significantly expand the opportunities for malicious actors and criminals to cause harm, loss, or damage, particularly with respect to the speed and scale of possible attacks. If we’re lucky, we’re on par with our adversaries but are often one step behind, so it’s imperative that we understand how they might be adapting their activities. 

But overall, this is the next major technical advancement we have to adapt to. Some of the challenges will be similar to previous technical revolutions, but with the added challenge of how quickly the field is moving. As the saying goes, ‘the best time to start planning was yesterday; the second best is today’. 

Q: What advice would you give security professionals interested in this topic?  

A: First, don’t be intimidated by the technical nature of the subject. A basic understanding of general technology and basic functionality is more than enough to allow you to participate in an informed manner. I don’t come from a deep technical background, so if I can master this, anyone can. 

Second, accept that you’ll always be a little behind on developments because things are changing so fast. There’s a lot of commentary out there, but I recommend following Professor Ethan Mollick on X / LinekdIn and listening to Nathan Whittemore’s daily AI update (YouTube: @TheAIBreakdown). They are both great at summarizing things, and they keep you up to date on big developments. Ethan Mollicks’ book ‘CoIntelligence’ is also a great read. If you want to get into the weeds, I can’t recommend ‘How AI Works From Sorcery to Science’ by Ronald T. Kneusel highly enough. 

Third, experiment and learn to love the command line. The chat interfaces are amazing, but the real ‘blow your mind’ results come from working with the models directly. That can be as simple as beefing up your prompts to get very specific behavior or writing a few simple scripts that use the API to tie a model into a platform you’re already comfortable with (integrating into Google Suite is very simple). You’ll not only improve your work, but you’ll develop a deeper understanding of the pros and cons of these models. 

Finally, remember that you’re in charge and we must have humans in the loop. You have control, whether it’s what you ask the model to do, how you design it, the data you use, or checking the output before you release it. Just as you would guide, train, and oversee a junior associate, you must put guardrails in place for these models and monitor their behavior. AI is a tool — a very powerful one — but it’s still a tool, and one that it is up to us to use responsibly. 

Q: How do you see this issue evolving in the next 2-5 years?  

A: If I’m honest, the velocity of this technology makes me wary of trying to predict just 2-5 months out…  

However, in general terms, I expect the following. 

  • AI will be a wholly integrated part of our lives, just as mobile phones are today (with a similar mix of good and bad effects). 
  • Most companies that haven’t embraced AI by 2026 will be struggling by 2029 (if they are still around). 
  • We will have had one very significant incident in which AI was a core component, either as an enabler or where one failed. 
  • The number of positive developments due to AI will significantly outpace the negative ones. 
  • We won’t have one all-powerful AGI (artificial general intelligence), but we will have several domain-specific AGIs that outperform most experts in that field. Human experts will defer to these narrow AGIs more often than not. 
  • AI will allow us to solve many of our most challenging problems, but we will still need humans with the will to implement these solutions. 
  • We’ll regularly interact with AI in a way we can’t quite comprehend yet, such as a neural link or always-on AI companion. 

Q: Why do you attend GSX?  

A: GSX is the only place to get a real sense of where the industry is heading and hear from the leading practitioners and thought leaders on the most important topics in our industry. Despite the advances we’ve made in remote work and virtual meetings, connecting in person, hearing the hallway chatter, and seeing which talks and demonstrations are drawing the crowds is essential if you really want to get a good sense of what’s going on. I haven’t been able to attend in person for a few years while I’ve been abroad, so I’m really looking forward to getting back to GSX this Fall.