John Iliadis, PhD, ISSMP, CISSP, CCSP, CSSLP, SSCP discusses whether the significant and rapid evolution of artificial intelligence technologies have placed it on a path to completely replace the role of a CISO.
Whether artificial intelligence (AI) will replace people in CISO roles isn't just a matter of idle speculation; it stems from the remarkable progress in AI technologies, which have increasingly taken on complex tasks traditionally managed by cybersecurity professionals. To address this question, we need to evaluate both the potential and the limitations of AI in fulfilling the diverse responsibilities of a CISO.
What is AI? The Path from Novelty to Necessity
Once viewed as a mere novelty, AI has now become an integral part of various industries, revolutionizing the way businesses operate. This is far from the first time this has happened: the President of Michigan Savings Bank advising Henry Ford's lawyer not to invest in Ford Motor Company, arguing that the automobile was just a passing novelty and that horses would remain the primary mode of transportation, is just one example that highlights the skepticism that often accompanies technological innovation before it becomes a necessity.
AI has evolved beyond its initial hype phase and has demonstrated significant capabilities across multiple domains, including cybersecurity. From improving threat detection to automating mundane tasks, AI is increasingly integral to the current security landscape.
However, could AI take over the multifaceted role of a CISO, a position that requires not only technical expertise but also strategic vision, leadership, and ethical judgment?
The Capabilities of AI in Cybersecurity
AI has made considerable strides in automating various aspects of cybersecurity, positioning itself as a valuable tool for CISOs. Some of the most promising areas where AI is making a substantial impact include:
Accelerating source code security checks – AI's ability to swiftly scan and analyze vast amounts of source code to identify vulnerabilities is one of its most-praised capabilities. Tasks that might take human teams days or even weeks to complete can be accomplished by AI in a fraction of the time. This acceleration is crucial in cybersecurity, where the speed of threat detection and response can be the difference between securing a system and suffering a catastrophic breach.
Compliance automation – Compliance with regulatory standards is a complex and ongoing challenge for organizations, and AI can play a significant role in this area. AI systems can be programmed to continuously monitor compliance with various regulations, flagging any deviations or potential issues. This not only reduces the workload on human CISOs but also enhances the accuracy and consistency of compliance efforts.
Enhanced threat detection – AI-driven tools automate threat detection by leveraging machine learning algorithms to identify patterns indicative of malicious activity. These systems can detect subtle anomalies that might be overlooked by traditional methods, allowing for around-the-clock, proactive and effective responses to emerging threats.
Such advances suggest that AI could take on many of the technical aspects of the CISO role or CISO team, improving operational efficiency and streamlining threat hunting.
The Limitations of AI as a CISO
Despite its capabilities, AI faces significant limitations that may prevent it from replacing a human CISO. Some of the most critical limitations include:
Aligning security with business goals – One of the most critical responsibilities of a CISO is to ensure that cybersecurity strategies align with the broader business objectives of the organization. This requires a deep understanding of the business environment, including its goals, challenges and industry dynamics. While AI can assist in analyzing data and providing insights, it lacks the ability to understand the nuances of business strategy and make decisions that balance security needs with business priorities.
Soft skills – The role of a CISO is not just about technical expertise; it also involves strong leadership, communication and negotiation skills. These soft skills are essential for building a security-conscious culture within an organization. From managing teams to navigating complex relationships with various stakeholders, including executives, employees and external partners. AI, for all its strengths, cannot replicate the interpersonal skills critical for these aspects of the CISO role.
Ethical decision-making – CISOs often face ethical dilemmas that require careful consideration of the potential impacts of their decisions. For example, deciding how to handle a security breach or whether to disclose certain vulnerabilities to the public involves weighing risks and benefits in a way that considers not only the technical aspects but also the moral and ethical implications. While powerful, AI possibly lacks the moral compass and contextual understanding necessary to navigate these situations effectively. This is another part of CISO’s job description that AI still can’t seem to fulfill.
Balancing risks introduced by the use of AI – Some AI-driven recommendations might conflict with organizational culture, customer expectations, or business strategy. Weighing the risk of using AI against the potential business benefits is a key aspect of the CISO role that remains firmly in the human domain. In some cases, the decision has been to ban AI altogether, at least temporarily.
Adaptation to new threats – While AI can learn from data and recognize patterns, it struggles with unprecedented scenarios where no historical data exists. This is an area where humans excel in comparison to AI, drawing on their experience, intuition and creativity to respond to novel threats. This ability to think outside the box and adapt to new and unforeseen challenges is something that AI, with its reliance on existing data and patterns, cannot yet replicate.
Why AI Could Never Replace a CISO
In my view, it is unlikely that AI will replace a CISO given these limitations. Instead, I suspect AI is more likely to augment the CISO role, handling specific tasks that free up time for them to focus on higher-level strategic concerns. The term "Chief Incident Scapegoat Officer", humorously mentioned in discussions about the CISO role, captures the reality that, despite AI’s capabilities, human CISOs will remain responsible for cybersecurity incidents and breaches. The responsibility, ethical considerations and need for a nuanced approach in cybersecurity decision-making cannot be offloaded to machines.
The legal and regulatory landscapes in which CISOs operate require human oversight and judgment to navigate the aftermath of incidents, manage public relations, propose informed risk choices towards profitable outcomes and ensure that the organization learns from its mistakes; all functions that AI is not equipped to handle.
But AI is Here to Stay - Now What?
My view is that, as AI continues to evolve, CISOs must learn to leverage these technologies effectively. AI can serve as a powerful tool in the CISO's arsenal, acting as a catalyst for more robust security controls and offering customized support through intelligent systems.
For instance, AI can become an essential feature in Intrusion Detection Systems (IDS), enhancing their ability to detect and respond to threats in real time.
Another case where AI can be used successfully for the benefit of enterprises is generating customized apprenticeship programs for young professionals, freeing up time of experienced professionals and optimizing the apprenticeship process.In the case of young cybersecurity professionals who join the ranks from adjacent professional domains, this can prove to be invaluable.
Beware the Dark Side, Luke
CISOs must remain vigilant about the potential risks AI introduces.
Some 45% of cybersecurity professionals believe that some of the biggest security challenges stem from the introduction of AI use in enterprises.
The dark side of AI is real, with threats such as high-quality deepfakes, powerful attacker tools like PentestGPT, and copyright misuse of AI input or output.
The effectiveness of Business Email Compromise (BEC) attacks, amplified by AI, is a stark reminder that AI can be a double-edged sword in cybersecurity. These threats not only demonstrate AI's potential to aid cybercriminals but also highlight the ongoing need for human judgment and oversight.
The Evolving Role of CISOs in the AI Age
While AI will undoubtedly reshape the cybersecurity landscape, my belief is that it will not replace human CISOs. Instead, the role of the CISO will evolve, with AI taking on more of the technical and routine tasks, allowing CISOs to focus on strategy, leadership and ethical decision-making. Human oversight will become even more crucial in navigating the complex and ever-changing cybersecurity environment.
CISOs embracing AI, leveraging its strengths while recognizing its limitations, will be better positioned to protect their organizations in the digital age. As Archimedes famously said, when he first defined the principle of the lever, "Give me a place on which to stand, and I will move the Earth". In the context of cybersecurity, AI provides a powerful lever that can move mountains - but it is the human CISO who must decide where and how to apply it.
By blending the best of both worlds - AI's computational power along with human intuition and leadership - organizations can create a cybersecurity strategy that is both robust and adaptable, ready to meet the challenges of today and face the unknown threats of tomorrow.
John Iliadis, PhD, CISSP, CCSP, CSSLP, ISSMP, SSCP has over 20 years of experience in the Financial and R&D sectors. John has held cybersecurity, IT and R&D roles, with responsibility for enabling cyber-resilient services, aligning information security with business needs, leading cybersecurity and IT teams, as well as spearheading complex technological changes. He is also the current President of the ISC2 Hellenic Chapter.
- Read more about the ethical implications of AI and how to deal with them
- ISC2 is holding a series of global strategic and operational AI workshops. Find one near you
- Replay our two-part webinar series on the impact of AI on the cybersecurity industry: Part 1 and Part 2