FAQs Evolving Insights on AI Risk and Governance for CISOs

By Meghan Hollis

The era of pervasive artificial intelligence (AI) is here, demanding an immediate and decisive response from CISOs. The pressure is immense with 86% of organizations piloting, scaling or extensively deploying generative AI (GenAI). Traditional cybersecurity governance models are insufficient for addressing the complex cybersecurity and privacy risks inherent in large-scale AI adoption. CISOs are expected to be a part of managing and governing AI use; however, these expectations are often beyond the scope of the cybersecurity leader’s role. The CISO’s role is not to shoulder the entirety of AI governance, but to exert influence over broader governance while leading the cybersecurity governance activities. This is essential for managing risk, ensuring compliance and securing the use of AI.

The CISO’s strategic remit for AI governance consists of three actions:

• Influence overarching AI governance, but resist taking a leadership role or sole responsibility: CISOs must actively contribute their cybersecurity risk management perspective to enterprisewide AI governance efforts, but draw a clear line: CISOs must not bear sole responsibility for the overall management and governance of AI. CISOs should demand a seat at the table to influence overarching AI governance activities, but should not lead it. They should inform the wider governance body of key cybersecurity risks of different AI deployment strategies and advise on how to enable the secure use of AI.

• Mandate adaptive AI cybersecurity governance: The adoption of AI technologies requires CISOs to make changes to existing cybersecurity governance practices to manage emerging risks successfully. This starts with establishing a roadmap to secure the use of AI. CISOs must evolve their foundational governance practices to address both common and unique risks presented by AI. CISOs must start by embedding AI cybersecurity governance into current cybersecurity structures while leveraging robust AI risk frameworks. CISOs should update existing policies, standards and processes to account for AI risks. They should incorporate AI cybersecurity literacy into organizational cybersecurity training and awareness programs to build capabilities.

• Combine cybersecurity best practices with AI-specialized controls: Conduct a cross-functional inventory of all instances of AI, evaluating each instance for cybersecurity features. Deploy AI trust, risk, and security management (AI TRiSM) approaches to manage the emerging, complex AI-related cyber risk environment. This will help coordinate cross-functional governance activities. Prioritize solutions that strengthen data protection for both structured and unstructured data utilized by AI. Start with your existing tooling and expand where traditional cybersecurity tools leave gaps for securing the use of AI.

By Mia Yu and Christopher Mixter

Most board members consider cybersecurity a top concern and a threat to the business. Instead of relying solely on technical and operational metrics, CISOs must adapt their data by translating it into terms the board understands to drive informed decisions. To bridge this disconnect:

• Use metrics that emphasize outcomes and are benchmarkable: Use outcome-driven metrics that provide visibility into risk exposure by connecting operational metrics and business outcomes. Benchmarked data is also valuable as it informs the board where the organization stands in relation to others. Use metrics that are easy to understand and demonstrate significant impact on strategic objectives, risk posture or operational resilience.

• Tell a story: Use a narrative approach to transform data into actionable insights, connect risk and reward and drive informed decisions. Link cybersecurity performance to business value that board members care about, like revenue, growth or operational continuity.

• Tailor the message by audience: Board members represent a range of roles, perspectives and priorities. CISOs who seek to get their message across may have to tailor that message accordingly. Best bets: Avoid technology jargon, adapt to the level of detail (e.g., strategic versus tactical) the audience expects, anticipate questions and ask for feedback so you can refine your approach.

   

By Alicia Booker-Carney

Third-party cyber risk demands the interaction with multiple stakeholders — and one of the most important stakeholders are the business owners. Business owners are vital partners in managing cybersecurity risk from third parties. Risks throughout the life cycle of the relationship with the third party tend to be missed because business owners expect the cybersecurity function to handle them. However, as business owners are accountable throughout the process, they must take ownership, collaborating with all parties and keeping the relevant stakeholders informed.

• Phase 1: Precontract due diligence: Business owners must submit the initial request for the third party to be assessed, along with any pertinent information concerning the third party. The critical information they provide enables the process to assess the third party to begin. 

• Phase 2: In-flight risk management and monitoring: As the point of contact for the third party, business owners are responsible for keeping all stakeholders informed in case of any major changes in the third party (e.g., job scope, data breach or cybersecurity posture).

• Phase 3: Recertification or termination: Based on the criticality of the third party, they will be placed on a recertification schedule. Once the date of reassessment or termination approaches, the business owner either needs to relay to the stakeholders that the third-party relationship will continue or if the agreement is terminated. If the third party is to be reassessed to continue the partnership, the business owner has the responsibility to assist the other stakeholders to obtain documentation. If the relationship with the third party is to be terminated, the business owner has the responsibility to coordinate with all stakeholders to verify that all equipment and data have been returned and/or destroyed by the third party.

By Craig Porter

AI adoption unlocks efficiency and innovation, but also expands the cybersecurity risk landscape. CISOs are challenged to enable the business to leverage AI’s benefits while also securing sensitive information and defending against both internal and external AI-driven threats, which include: 

• Lack of AI literacy and policy: Organizations that lack investment in AI governance and education about the proper use of AI inevitably create blind spots attackers can exploit.

• Shadow AI: Employees who use AI tools without proper authorization increase the organization’s risk of sensitive data leaks, regulatory non-compliance and compromised business decisions.

• AI prompts: A simple AI prompt can leak sensitive data to the underlying AI system by allowing access to sources such as chat histories and enterprise data repositories.

• Embedded AI features: AI capabilities within third-party solutions often escape notice, increasing the risk of inadvertent data leaks by employees.

• Uncontrolled experiments: Launching custom-built applications without sufficient security guardrails is a recipe for disaster that can lead to vulnerabilities and compromised systems.  

External risks include:

• Phishing, deepfakes and social engineering: AI has supercharged these already dangerous tactics by making them more convincing, raising the likelihood of data breaches.

• Regulations: As regional AI regulations evolve, compliance becomes increasingly difficult for companies, raising the likelihood of legal penalties and operational disruption.

• Attacks on AI infrastructure: Techniques like data poisoning, model theft and prompt injection corrupt outputs, expose sensitive information or introduce backdoors.

• Third-party and supply chain vulnerabilities: External vendors and open-source AI components can introduce risks from hidden vulnerabilities, lack of transparency and insufficient contractual controls, leading to unauthorized access or data leakage.

By Niyati Daftary

The answer is: It depends. The ideal cybersecurity team size varies based on multiple factors unique to each organization. However, Gartner benchmarking and insights provide data-informed guidance. Here is a starting point:

• Midsize enterprises (<1,000 employees): Start with one to three specialists.

• Large enterprises (≥1,000 and <10,000 employees): Expand to four to 15 roles.

• Extra-large enterprises (≥10,000 and <50,000 employees): Grow to 15 to 50 professionals.

• Extra-extra-large enterprises (≥50,000 employees): From 50+ roles, add specialized functions as complexity grows.

Organization size alone is just a starting point. CISOs must consider additional factors that directly influence staffing needs, including:

• Industry (sector-specific threat profiles, regulatory requirements)

• Enterprise size (headcount, revenue and operational complexity)

• Risk governance models (centralized versus federated decision-making structures)

• Regulatory landscape (scope and intensity of compliance obligations)

• Enterprise risk appetite and tolerance (organizational tolerance and willingness to accept risk as risk informs staffing thresholds)

• IT structure (centralized, decentralized or federated)

• Sourcing models (insourced, outsourced, hybrid, managed detection and response or managed security service provider)

• Geographic distribution (local, national or global)

• Cybersecurity program maturity (lower versus higher)

In addition, CISOs must consult industry benchmarks — such as cybersecurity full-time equivalents (FTEs) as a percentage of total IT staff (industry median: 5.1%) — as a reference point to inform, but not dictate, cybersecurity team sizing decisions. Benchmarking provides essential context and prepares CISOs for leadership questions for peer comparisons. CISOs must treat large deviations from benchmarks as a trigger to reassess or prepare a defense for team size decisions. Deviations can be justified — but CISOs must be fully informed and prepared to discuss these with senior leadership.

Cybersecurity team size is essential to get right. Understaffed teams face higher breach risks and compliance failures, with breach costs up to 20% greater than those of adequately staffed teams due to slower detection and response. 

By Tiffany Taylor

A zero-trust network (ZTN) must have three essential capabilities: identity and access management integration to centralize identity management; microsegmentation to limit the blast radius of breaches and prevent lateral movement; and zero-trust network access (ZTNA) in a secure access service edge (SASE) framework:

• Identity verification: User identity, device identity and security posture are continuously validated throughout each session. By adjusting access in real time, based on risk and changing conditions, ZTN solutions keep access privileges current and adapt to evolving threats.

• Attack surface reduction: Network segmentation and strict enforcement of least privilege minimize attack vector and prevent lateral movement. ZTN solutions use microsegmentation to break a network into small, isolated segments, allowing tight control of access between zones. This safeguards critical assets and contains the impact of a breach. This strategy is ideally applied to critical business applications and assets.

• Granular access control: Access is limited to specific applications or resources. This least-privilege approach ensures that users access only what the responsibilities of their roles require. This significantly reduces the ability to carry out an undetected attack. This may be achieved using ZTNA or security service edge (SSE) as part of the SASE framework.

Together, these capabilities secure user-to-application and backend-application-to-dependency connections.