ISSA South Texas Chapter Meeting - November 9, 2023

APPLYING ARTIFICIAL INTELLIGENCE GOVERNANCE, SECURITY, & RISK MANAGEMENT

INTRODUCTION AND BACKGROUND:

This presentation will discuss the key principles and associated practices to help guide the design, security, and deployment of automated systems in the age of artificial intelligence. With these key principles, we will offer clients who develop and use artificial intelligence as part of their business model a comprehensive blueprint for building and deploying automated systems securely and ethically. This interactive talk will discuss ensuring alignment with current and future AI-based regulatory requirements, protecting critical information, preventing AI bias, and maintaining privacy.

THE AI-Cybersecurity Problem:

Existing AI cybersecurity frameworks are unable to:

• Adequately manage the problem of harmful bias in AI systems;
• Confront the challenging risks related to generative AI;
• Comprehensively address security concerns related to evasion, model extraction, availability, or other machine learning attacks, known as “adversarial AI”;
• Account for the complex attack surface of AI systems; and
• Consider risks associated with third-party AI technologies, transfer learning, and off-label use where AI systems may be trained for decision-making outside an organization’s security controls or trained in one domain and then “fine-tuned” for another.

LEARNING OBJECTIVES:

All eyes are on AI and Machine Learning – but how do we manage the power of artificial intelligence in managing business processes when the models aren’t integrated into the GRC ecosystem? We will shed some intelligence on where automation works best when risks are well managed, and controls are in place to prevent adversarial attacks. This session will address the following concerns and risks AI poses on organizational uses of models and algorithms.

• AI-based regulations are rising – handling global regulations being proposed, published, and enforced.
• Risks from AI-based technology can be bigger than an enterprise, span organizations, and lead to societal impacts.
• Using current cybersecurity frameworks. AI systems bring risks not comprehensively addressed by current security and risk frameworks.
• Handling the risk that data used for building AI models may not represent the context of the AI system.
• Unintentional changes during model training may alter AI system performance and accuracy.
• Datasets used to train AI systems may become detached from their original context or outdated relative to the deployment context.
• Increased privacy risk due to enhanced data aggregation capability for AI systems.
• Underdeveloped software testing standards and failure to document AI-based practices to developed standards.
• Difficulty performing regular AI-based software testing or determining what to test since AI systems are not subject to the same controls as traditional code development.
• Computational costs for testing AI systems and models.
• Privacy and cybersecurity risks are also considered as part of broader enterprise risk management considerations –Lack of AI oversight committee for AI governance, risk, and compliance management.
• The inability to predict and detect the side effects of AI-based systems beyond statistical measures.
• Lack of industry expertise in automation governance, combined with GRC principled performance measures.

PRESENTER:

James Sayles, Senior Director of Advisory Services CyberOne

• GRC Fellow & Professional, CCISO, CIPP US/EU, CGEIT, CRISC, CIA, CISA, CISSP, CFE, CISM, CEH.
• Business-aligned professional and thought leader in:
• Enterprise governance risk and compliance (GRC), digital transformation, artificial intelligence, cybersecurity, enterprise risk management, data protection and privacy, internal and external audit, and regulatory compliance.
• Accomplished cybersecurity executive with a 25+ year professional track record of developing eGRC ecosystems, cybersecurity risks and countermeasures, process automation/mgmt.
• Former Chief Information Security Officer, Data Protection Officer, Chief Risk and Compliance Officer, and Enterprise GRC strategist.
• Previous: Microsoft, Deloitte, Avaya, Forester, Royal Dutch Shell, BindView now Symantec, and consulted for Fortune organizations.
• Professional speaker, GRC fellow, thought leader, coach, and mentor.

Meeting Sponsor: Exterro

Exterro empowers organizations to manage their Legal Governance, Risk and Compliance (Legal GRC) requirements proactively and defensibly. Our Legal GRC software is the only comprehensive platform that automates the complex interconnections of digital investigations, privacy, legal operations, cybersecurity response, compliance and information governance.

Thousands of corporations, law firms, government and law enforcement agencies around the world trust our integrated Legal GRC platform to manage their risks and drive successful outcomes at a lower cost.

The Industry’s Only Unified Legal GRC Software Platform