Why AI Is Not A Replacement For A Thrive vCISO

The tech headlines are inescapable, as is the assault on our email inboxes and voicemail with announcements of the latest products and services capable of solving all our business challenges efficiently and inexpensively through the revolutionary power of artificial intelligence (AI). Lest you think the use of the word “revolutionary” was meant sarcastically, it was not. It is increasingly clear (despite the hype) that AI is in fact a revolutionary technology, and will play an increasingly powerful role in how our businesses and our world operate.

That prediction notwithstanding, are generative AI tools, such as ChatGPT, Gemini, and CoPilot a reasonable replacement for an experienced and credentialed virtual Chief Information Security Officer (vCISO)? Are the powers of AI able to be a proxy for the knowledge, skill, and capabilities that a vCISO brings to your organization?

Let us dive deeper and see if AI might actually stand for Almost Intelligent, or Anxiety Inducer when used as a substitute for a Thrive vCISO.

Strategic Thinking

Developing an information security program is a complex undertaking. Identifying the correct mix of technical, administrative, and physical security controls for your organization is a daunting task, especially with specific compliance or regulatory requirements in the mix. Now add the need to have those protections align with your corporate and IT strategies and your unique organizational risk tolerance, all without becoming an impediment to business success.

Juggling that many variables while factoring in industry conditions and the competitive landscape in comparison to your organization’s culture, such as resistance to change, is beyond the capability of AI as it stands today, even with the most sophisticated of prompts. A vCISO has the ability to perform that highly nuanced analysis, something AI-based reasoning currently cannot.

The Human Element

As good as AI and large language models (LLMs) are at querying and analyzing enormous data sets at the speed of light, they remain blunt instruments when it comes to inference. At this point in its evolution, AI resides in a demonstrably binary, black-or-white world — a recipe for disaster in a human world with a considerable amount of gray. One of the most important skills a successful vCISO, or any business leader, must possess is the ability to win others over. This requires ”reading the room,” understanding and appreciating others’ positions and perspectives, and building the rapport necessary to advance an agenda.

It is these uniquely human skills, the nuts and bolts of human relationships, that are essential for designing, implementing, and, more importantly, managing an information security program, and AI cannot do that.

Fiscal Responsibility

Asking an AI platform to design an information security strategy is akin to taking a candy and ice cream-fueled child into FAO Schwarz during the holidays and asking them what gifts they would like Santa to bring. You can imagine the result: “I want that, and I want that, and I want that….”

Issuing a prompt to an AI platform to design a basic information security program for a mid-sized company had a similar result. In five seconds, the AI-designed Security Roadmap was returned; a laundry list of security technologies totaling $500K and including some decidedly nonspecific “MSSP and GRC services.” The AI roadmap was created with no context on what the company did, the nature of the infrastructure in place, the sensitivity of data, or any compliance and regulatory considerations, and so on. Could the prompt have been more sophisticated and included some of those details? Absolutely.

However, even with that more refined cost estimate, would you be willing to stand in front of your Board of Directors and recommend a budget based on the platform’s output? While your personal and organizational risk tolerance will drive your response to that question, a vCISO has the real-world security operations and engineering experience needed to drive intelligent, data-based investment decisions and help identify and avoid hidden costs and “gotchas” associated with security program development and management.

Accountability

In the AI-generated security program example shared above, there was no mention of who would be accountable for the program, the level of effort necessary to effectively manage it in the long term, nor the costs associated with those critical program elements. This seems like a conspicuous oversight because even the most basic of governance structures will require a program owner. Additionally, security programs are not static; they require constant care and feeding to ensure they remain effective and that takes considerable effort. If your organization has any compliance or regulatory requirements in the mix, a vCISO will be the resource to serve as the security program owner, assist with audits and auditors and make sure the control structure will uphold your compliance obligations. AI tools cannot do that.

Accuracy

There is an old computing expression most will have heard: “Garbage in, garbage out.” This mid-20th-century, dawn-of-computing maxim emphasized that any output is only as good as the inputs that led to those conclusions. The data universe feeding your AI platform (aka the internet) is not perfect. It is rife with conflicting data and misinformation. AI is likewise a “master of generalization” at this point in its evolution, and while AI tools are making progress with logic and reasoning, they continue to rely heavily on consensus and majority vote to drive its decision-making. This means the most common internet data and results related to your prompt/inquiry will drive its recommendations. Would anyone reading this blog describe their business as being common or standard? Far more likely, you would describe it as imaginative, inspired, and inventive. Your Thrive vCISO makes sure your security program is aligned with those unique business and cultural characteristics to effectively support your mission.

A final example related to AI’s accuracy should help make the point hit home. Using a market-leading AI platform in researching for this blog, the following prompt was created:

The AI tool’s response went on to list multiple industry-leading platforms and solutions, but it failed to mention itself! This seemed incredible as the platform being used is an AI industry powerhouse. The tool gets an A-for-honesty, however. When asked why it had not listed itself as a leading platform, it came up with the following response:

Was the AI just being modest? A pillar of high-tech humility? No, that is likely not the case. It was an oversight plain and simple, but this example clearly demonstrates that AI has limitations and imperfections, especially so early on in its development. AI will absolutely go on to have an unprecedented (and hopefully positive!) impact on our businesses and our world in the years ahead. But remember that our AI “sprinters” have just heard the pistol shot and left the starting blocks. There is a long race ahead of them and so much remains uncertain regarding what AI will become and how it will change our lives. Until that picture becomes clearer and some of these limitations are addressed, are you willing to bet your organization’s reputation and information security future on it?