Cybersecurity considerations for Boards of AI-First companies

At AI-First companies, boards have a unique role in helping their organizations secure AI advantage against emerging cybersecurity threats. They do not have daily operational responsibilities, but they have oversight and fiduciary duties. In some cases, board members can avoid financial and freedom penalties for their companies.

Don't leave any questions about risks and critical vulnerabilities related to AI for tomorrow. Asking the right questions at your next meeting to the right stakeholders might prevent your company from unmanageable disasters like IP loss, financial losses, brand and reputation losses, and weak positioning.

Demonstrating a clear understanding of AI Security and risks is your first step in the long battle to secure sustainable AI advantage. In this article, we provide an understanding of cybersecurity for AI-first companies.

Security is an afterthought or is actively avoided because it is perceived as a drag on innovation. Historically, adversaries target the most valuable assets. In today's context, it is data in general. But AI is the biggest and the most invested asset. Would TikTok succeed in a highly competitive attention economy without its AI recommendation engine? What if it is attacked? Would Grammarly succeed without its AI engine? What if it is compromised? What if AI-powered security systems are attacked? The cybersecurity of AI in AI-first companies is not just another hygiene factor but the single most crucial aspect. At the end of the day, AI is the business.

AI businesses are under attack, whether you are aware or not. Gartner reported that 2 in 5 organizations had AI Security incidents and privacy breaches [1]. They also hypothesized that many breaches and incidents are going unreported or undetected. The technical director of the National Security Agency's (NSA's) Cybersecurity Directorate thinks that security incidents of AI might go unnoticed. “And, of course, successful attacks might not be detected,” he says [2]. The viewpoint of AI security was further presented in two US Congressional Hearings [3, 4]. Attacks on AI is a reality [11], and an unfortunate one.

We need a different mindset to tackle the evolving cyber threats against AI. The Board of directors (BoD) needs to manage the associated risks actively to discharge their fiduciary responsibilities and, in some cases, avoid financial and freedom penalties. We discuss three real examples in our article that lead to product withdrawal, product malfunction, and financial losses arising from emerging threats (https://etcio.com/s/57qyd3x). The secondary harms are damage to brand reputation, IP loss, and in extreme cases, bankruptcy. To manage overall business risks effectively, BoD needs to understand the spectrum of risk and its impact arising from cyber threats for AI.

We have conversed with more than 100+ experts, 32 C-level executives, and 17 board members across 20 AI-first companies, primarily startups. The conversation led to fascinating insights, and emergence of a few patterns, resulting in five things that board and c-level executives need to know about cybersecurity for AI-first companies regarding AI – their most valuable asset.

1. Cybersecurity of AI

• is different than traditional cybersecurity
• is different than privacy, bias, and fairness concerns of AI
• is about more than protecting data
• has impact across the AI lifecycle
• is an organizational problem as well as a technical problem

3. The prevailing approach to cybersecurity of defense-in-depth is not sufficient when it comes to AI

• AI needs a new last layer of defense
• Cloud shared responsibility models do not cover security of AI [5, 6]

4. Regulations and standards are upcoming for AI Security [7, 8, 9, 10]

5. AI attacks are happening but not detected or reported widely [1, 2, 3, 4, 11]

The BoD need not know all the answers. They simply need to demonstrate a proper understanding. Simply by asking questions about the cybersecurity of AI and by having a conversation, BoD signals that it is an important topic and indicates that it needs to be a priority topic for their organization as well.

If you are pressed for time, watch this 2-minute video (https://youtu.be/1LJVb6CYGUs) to gain more insights about AI Security issues.

You can visit our website (https://boschaishield.com/) for more details to understand how we help organizations detect and defend against emerging cybersecurity threats against AI.

If you are from the healthcare domain, then register for our upcoming webinar, where we discuss the AI security issues from healthcare industry with a focus on risks and compliance aspects.

Webinar | Cybersecurity for AI in Digital Health | Bosch AIShield & CyberActa

In the following article, we introduce a 5-7 questions framework to ask to make sure your Board understands how the cybersecurity of AI is being managed by your organization in the new battlefield to secure sustainable AI advantage.

References