AI for Cybersecurity: Are Boards Getting on Board? 

A few years ago, someone suggested that artificial intelligence (AI) algorithms should be given seats on companies’ boards of directors, to consume relevant data and help inform decision-making.[1] The idea hasn’t really caught on — yet. 

Today, AI is making an appearance at board meetings in another context: as an option for automating and strengthening security defenses at a time of unrelenting cyber risk. Boards seem to be warming up to the idea — gradually.

A new Mimecast survey generally shows progress toward more cyber-sophistication on the boards of directors of many companies. But knowledge gaps persist. It’s still challenging for CISOs to report on cybersecurity at the board level and sustain directors’ attention to cyber risk amid competing business priorities, according to an upcoming Mimecast report on evolving perceptions of cyber risk.

Discussing AI and machine learning (a subset of AI) takes CISOs’ board communications challenge up another notch.

Why Cyber AI?

Boards have come to embrace cyber risk as a business risk, the report says, laying the groundwork for them to approve funding and set company policies that advance cybersecurity. Getting to this point has taken time and effort by CISOs, since few board members have cybersecurity backgrounds. As for pitching them AI, “Most board members know how to spell AI, and not much more,” quipped one board member with AI expertise.[2]

For their part, CISOs believe AI can reduce today’s unrelenting cyber/business risk, handling the growing volume, velocity, and complexity of both the data that needs to be protected and the attacks that threaten it. Notably, CISOs see AI as key to automating cyber work, including the offloading of repetitive manual tasks that can drain staff time and morale even as a global skills shortage is leaving many positions unfilled. They also recognize the AI-fueled arms race that is currently taking shape, with cyberattackers arguably ahead in using advanced technologies to target, craft, and automate their criminal exploits.

To resonate with board members, these and other points should be presented by CISOs in terms of how AI will support business objectives without introducing new technology risk. Boards may have limited understanding of how AI works, but they care deeply about business performance and risk mitigation.

The Growing Business Case for Cyber AI

Many CISOs now have a couple of years of experience in using AI to routinely automate cybersecurity, and the business case for cyber AI is becoming clearer. AI can provide critical support to security analysts, analyzing threat, behavioral and other data faster and, in some cases, better than they can. In preliminary findings from Mimecast’s forthcoming State of Email Security 2023 survey, CISOs currently using AI were asked about its biggest benefits. Here are their top five:

1. Increased accuracy of threat detection
2. Threat prevention
3. Faster threat remediation
4. Reduced workload for the security team
5. Reduced human error across their company

New research from Mimecast partner IBM also shows AI-powered automation of cybersecurity delivering demonstrable improvements in shoring up network protections, detecting and preventing attacks, and responding to them. In business terms, most CISOs reported a reduction of at least 18% in data breach costs including incident response, operational downtime, reputational damage, as well as potential lost sales, partnerships, and investment. The median number of days required to detect incidents decreased by 12% after implementing AI, and response and recovery time dropped by 11%.[3]

These insights are built on a growing base of cyber AI experience. SOES 2023 pollsters found that nearly half of security teams are currently using AI, with almost one-third planning to do so in the coming year. IBM’s survey showed nearly two-thirds of security teams using AI for at least one security application, with roughly one-third considering AI adoption. Most of the early adopters have been using AI for less than two years, employing a mix of (often customized) off-the-shelf solutions and wholly custom-built tools.

Discussion of AI’s benefits shouldn’t overlook the potential business risk inherent in any new technology, however. AI requires huge volumes of high-quality information to work well, for instance, which is not something every company or security application has available.

Applying AI to Email Security

Email and collaboration platforms represent companies’ biggest cyber risk, because attackers tend to use these avenues to steal network access credentials, drop malware, perpetrate fraud, or otherwise support their criminal exploits. It’s a risk that most boards recognize and actively engage in discussing, according to interviewees’ responses to the “Behind the Screens” survey.

A separate Mimecast white paper on AI describes use cases for email security in areas including:

• User behavior: AI can detect anomalies in employees’ email use that might indicate account takeover or a data theft in progress — for instance, if emails are being sent from unusual locations at strange hours or in high volumes. Such mail would be held at the email security gateway, with senders alerted about the problem.
• Suspicious links: Intelligent tools can check whether a URL in an email is legitimate — for example, comparing the related website with legitimate sites to detect counterfeit logos or other evidence of brand spoofing. Blocking such pages can protect against credential harvesting.
• Alert fatigue: Machine learning can deliver a potent mix of threat intelligence, employee cyber risk scores, and other information to triage low-risk alerts, handle repetitive tasks, and raise the baseline level of threats requiring staff intervention. 

An Important Attack Vector to Consider

One of the most prominent current attack vectors that AI-based email security can help thwart is phishing attacks that actually use AI as part of their attack method. Phishing attacks involve the attacker trying to impersonate someone in the organization to gain access to sensitive information. They often come in the form of urgent messages that are targeted at specific individuals, such as the CEO. In the most recent versions of these phishing attacks, attackers use AI to generate a perfectly formed email, usually expertly optimized to their target. These phishing attempts can be very subtle and effective, as they can bypass alerts based on location, strange hours, or volume, and many other filters.

Board Understanding of Cyber AI: ‘Glass Half-Full’

Speaking anonymously during our “Behind the Screens” interviews, CISOs delivered mixed reviews of boards’ aptitude and interest in advanced technologies like AI for automation and other tasks.

A CISO for a French conglomerate gave an upbeat report, saying, “They understand the impact of a breach on operational activities, since an attack can delay flights and boarding systems. This is why our C-level executives and board members have prioritized cybersecurity, adopted new advanced technologies, and recently approved of upgrading the infrastructure with the use of digitization and automation.”

On the other hand, the head of IT at a Swedish financial services company offers a less rosy assessment, saying, “I think that business leaders understand the impact of a cyberattack but need to pay more attention to the technology aspect as well. They should have IT leaders reporting more frequently to them regarding cybersecurity, external threats, and innovative solutions that use emerging technologies such as AI, automation, or analytics.”

The Bottom Line

Now that there’s a base of experience among early adopters of AI and automation for cybersecurity, research is beginning to highlight their benefits in terms that are relatable to companies’ boards of directors. 

[1] “Why Not Appoint an Algorithm to Your Corporate Board?”, Slate

[2] “AI in Business: The One Thing Every Board Member Asks,” Forbes

[3] “AI and Automation for Cybersecurity,” IBM