What are the basic controls, especially technical ones, that are considered most important for mitigating GenAI risks in the enterprise?

286 views4 Comments

Sort By:

Oldest

Global CISO3 months ago

Initially, when we encountered the explosion of chatbot technologies like ChatGPT, we had to act swiftly with the limited resources available. One fundamental approach we adopted was to define clear guidelines for employees regarding their usage of these tools. We emphasized the importance of understanding not only how to use the tools but also the implications of the information they generate. This education helps employees discern whether the responses they receive are peculiar or misleading, which is crucial when they use this data for business or sales decisions. We chose not to block access to these technologies but instead focused on responsible usage.

We also took steps to ensure that any copying of confidential content by these tools was highlighted as a significant risk. Our next step was to seek a solution that provided a safer, more controlled environment, which we could contractually protect, rather than leaving it to the unpredictable nature of the broader internet.

VP of Information Security in Software3 months ago

I agree with Andrea's emphasis on education and communication. Given the novelty of GenAI technologies, there isn't a universally accepted method for handling them. However, treating them like any other new technology—by educating and discussing their implications thoroughly—seems to be an effective strategy.

AVP of Information Security3 months ago

Community members, this is a great topic and I think it depends upon the industry that each of us is in. For healthcare, cardholder, or financial services I would recommend the following controls:
1. An AI policy or security stance outlining the rules of engagement
2. DLP scanning of any repositories in order to identify whether classified data exists within the data sources that may be leveraged for any LLM.
2. A CASB endpoint software configuration that allows you to control any uploads of classified data is being uploaded to site categorized as AI in your Secure Web Gateway

Please join or sign in to view more content.

By joining the Peer Community, you'll get:

Peer Discussions and Polls
One-Minute Insights
Connect with like-minded individuals

Group Director of Information Security in Banking2 months ago

Basic Controls, especially technical ones changes from one use case to another. You need to concentrate on use cases. For example:

1. If you are using the most often deployed Retrieval Augmented Generation (RAG) in Azure AI Search, below is a good source of basic controls to build within:
https://learn.microsoft.com/en-us/azure/search/search-security-overview

2. If you have subscribed to Copilot for Microsoft 365, then take a look at ' How does Microsoft Copilot for Microsoft 365 protect organizational data?' This will give guidance for some controls to consider.
https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy

3. Controls market is split between products that claim to mitigate GenAI risks in areas of Content Anomaly Detection, Privacy & Data Protection and AI Application Security. Calypso AI, Lasso Security and Robust Intelligence products comes near to covering 2 of the 3 areas. As it's a highly evolving market, keep evaluating.

Content you might like

Does your business have a measurable framework that people or departments must follow when choosing new tools or technologies for your business?

Culture & Values Vendor/Product Recommendation

Yes, and it is always followed22%

Yes, but it is rarely followed54%

Some departments do, but not across the business14%

No9%

View Results

1.8k views2 Upvotes

If you have had a negative experience with a vendor (without naming the vendor), what did you learn from it?

Financial Management Vendor Management

VP of Global IT and Cybersecurity in Manufacturing6 years ago

Have clear business requirements up front, make sure the proposal includes items such as scope, timeline, cost, resources.

I am a CISO in the Boston area. If you are like me, you get numerous event invitations per week. What CISO events do you attend to gather the most insight? Which have you found to be a waste of time?

Events

1 view

Are you investing security budget in protecting key employees and executives from spear-phishing and social engineering attacks through their personal social media accounts?

Yes, visibility for protecting key employees and executives on social media is part of our cybersecurity budget.56%

No, we do not have a solution or visibility to protect key employees on social media.38%

No, but we plan to budget for key employee and executive protection in the future.5%

View Results

1.5k views2 Upvotes

What’s on your IAM roadmap for the next 18-24 months?

Identity & Access Management (IAM)Threat & Vulnerability Management Security Strategy & Roadmap

Director of IT in IT Services4 days ago

Implementation of Zero trust architecture, its modules across the organisation is a priority for us. So, we will be implementing zero trust strategies in IAM, inline with overall strategy.

1.4k views1 Comment