On the 7th episode of Enterprise Software Defenders, hosts Evan Reiser and Mike Britton, both executives at Abnormal Security, talk with Viswa Vinnakota, Chief Information Security Officer at Xerox. Xerox is a foundational computing and technology company with over 20,000 employees and multiple spinoff companies operating at the frontier of modern technology. In this conversation, Viswa shares his thoughts on enterprise adoption of AI, the growing implications of AI's accessibility, and AI's impact on the future of cybersecurity.
In an era defined by digital transformation, businesses stand at the crossroads of increasing innovation and security needs. As technology evolves, the integration of SaaS applications and AI technologies becomes increasingly more relevant for enterprise businesses. Navigating these challenges requires a comprehensive approach encompassing policy development, security measures, and considering AI's broader impact on humanity. Viswa discusses how balancing the competing interests of innovation and security is crucial for organizations looking to thrive in this evolving technological landscape. "[AI] is beneficial for your organization to succeed, and at the same time, it creates a set of risks. Clearly understanding those risks and trying to implement your processes and tools are important for organizations to tackle the risks of generative AI." Viswa acknowledges that SaaS applications present a unique challenge due to their lack of control over the underlying infrastructure. Unlike traditional operating models with service accounts and active directories, SaaS applications involve APIs, secrets, and keys interacting over the internet. This reality can make it challenging to track who communicates with whom and what privileges they hold.
Viswa also discusses the fascinating duality unfolding because of generative AI. The potential for innovation and increased productivity is real on one side of the spectrum, particularly in education and software development. While this advancement shows great promise, it also extends to the darker corners of the digital world. Criminals, too, can harness these tools, raising questions about the potential for a surge in cyber threats. Viswa draws attention to the rise in phishing attacks, where threat actors employ generative AI to craft sophisticated messages that slip through conventional email security measures. "I've seen certain references to threat actors creating their own tools on the dark web-based on generative AI. The name I heard is WormGPT. And I've come across certain references where people develop exploit tools based on generative AI. They don't have to think about how the exploit works. All you need to do is say here's the input, go and exploit."
Large companies recognize the increasing complexity of risk profiles as they diversify into various services beyond their core offerings. Viswa emphasizes that the most significant challenge lies in constructing a cybersecurity program accommodating these diverse business practices. He discusses the potential of AI tools in bolstering security efforts, particularly how enterprise businesses can begin maximizing their exposure to the advantages of this new technology safely. "As an organization, we have to build our own private instances where we can actually freely use our data and go beyond boundaries to harvest the capabilities of generative AI rather than encouraging people to go and use the publicly available generative AI instances." However, Viswa cautions that while AI can enhance productivity and efficiency, it should be a human-dependent aspect of an organization's security strategy. Viswa's pragmatic approach to hiring in the cybersecurity field focuses on adaptability. While technology adoption is necessary, a foundational understanding of security principles is paramount. Cybersecurity professionals should be eager to learn and embrace emerging technologies and tools, ensuring their organizations remain resilient against evolving threats. "What is important is the foundational knowledge and expertise in security. Learning a tool is a matter of time. So what I look for in people is more about their adaptability, what skills they have, and how they're going to adapt as these new technologies and tools come in."
The boundaries between innovation and vulnerability can blur in this new frontier of AI empowerment. Viswa shares his hope for a unified, all-encompassing AI solution that can comprehensively defend an organization against various threats. While the current landscape involves numerous specialized tools, he envisions a time when a single AI solution can adapt to and safeguard against ever-evolving threats. This vision underscores the pressing need for collaboration among tech innovators, cybersecurity experts, and policymakers to forge a future where AI fuels progress and fortifies our digital defenses, ensuring that the promise of a safer, more productive world is realized.
Listen to Viswa's episode here and read the transcript here.