Board members, CISOs concerned about AI impacts on cybersecurity

Change comes from the top down—and so do concerns over cybersecurity.

A new Proofpoint study on boards and CISOs found that the C-suite has threat actors on their minds. And the dangers presented by generative AI—a relatively recent concern—are among the hazards that have them on edge.

More than one-half (59%) of the 650-plus board members surveyed by Proofpoint this summer reported that they believe AI “already poses a security risk to their organizations.” The concern was highest in Asia and Australia; 79% of Japanese board directors, 78% of those in Singapore, and 71% of Australian board members named generative AI as the threat they’re most concerned about.

Threat level. Proofpoint senior director of cybersecurity strategy Brian Reed told IT Brew that the increasing sophistication of generative AI and its deployment by threat actors means it’s more difficult to detect when something is off.

“Gone are the days of being able to ask your users, for instance, ‘Hey, look for things like language issues, look for poorly written emails,’” Reed said.

To Henrik Plate, a security researcher at Endor Labs, the dangers presented by AI are threefold: its use by threat actors, accidental leakage from internal use, and improper securing of internal generative AI systems. The last is less a threat than the first two, he explained, due to a lower rate of adoption, while the first two present a greater danger.

“The biggest risk is that attackers use AI themselves in order to sophisticate and improve their attacks…and the second is more this accidental leakage of information,” Plate told IT Brew. “Because even though the adoption of this generative AI within companies is still relatively low, as soon as the adoption is growing, that risk becomes more important.”

Looking ahead. Cybersecurity as a whole is top of mind for board members; three-quarters of respondents said they feel their organizations are at risk for a cyber attack in the next 12 months, up from 65% last year. And preparedness has also taken a hit: 53% said they felt their organization is unprepared for a cyber attack, compared to 47% who felt that way in 2022.

Reed told IT Brew he sees that as indicative of awareness at the top that can translate into action—though not necessarily a readiness to manage threats.

“It’s really a good sign to see the awareness and funding is there, but it might not necessarily turn into the kind of preparedness that you want. 73% of the directors agree cybersecurity is a priority; 84% believe that budgets are going to increase,” Reed said.

“But,” he added, “does that really translate into preparedness? I think the jury’'s out a little bit.”