All industries
New Zühlke research shines a light on the shifting security landscape and the changing role of the CISO. Here we unpick the key findings and share practical steps on how to defend against emerging AI threats and the careless use of AI systems.
If there’s one idiom that will resonate with CISOs everywhere, it’s probably: don’t run before you can walk.
Security leads have long stressed the importance of laying the right groundwork for successful outcomes. And in today’s rapidly changing AI landscape, that ethos has never been more important.
In the race to innovate and compete (and, often, to please shareholders), businesses are tripping over themselves to bring AI into the heart of their tech stack. But this can be a dangerous game if it means bypassing adequate threat analysis processes.
It’s a tug-of-war that looks set to stress-test frameworks and redefine roles across the information security industry. So what’s the safest way forward?
To help find answers, we conducted qualitative research with 22 chief information security officers (CISOs) and security leaders across the DACH region – in complex and, in some cases, highly regulated sectors, such as healthcare, financial services, pharma, government, IT, and transport.
Here we explore what those findings can tell us about the evolving security landscape, secure AI best practices, and the changing role of the CISO.
95% agree businesses will embrace AI adoption, regardless of security
95% plan to educate all employees on AI security
71% say their role is changing from ‘security control’ to ‘risk decision facilitator’
45% expect their business to create dedicated AI security roles
44% say their firm is well prepared for the transition to AI
‘Prompt injection’ happens when an AI system confuses data and instructions. This is especially dangerous with emerging tools that have access to users’ computers – as with the new ‘computer use’ ability debuted by Anthropic’s Claude.
As an example, if you ask an AI system to summarise a PDF file, and the data in the document contains a malicious instruction, the AI could execute that instruction on a system level – with devastating consequences.
AI’s business impact will be transformative in more ways than one; the role of the security officer is going to need to change alongside the tools at hand.
CISOs are cautious by necessity, but becoming the voice of reason against AI bullishness might increasingly put them in the role of the nay-saying bad guy.
In our research, 71% of CISOs believed that their role is changing from being the owner of ‘security control’ to one of ‘risk decision facilitator’. Here, the game becomes one of saying yes to the lesser of several evils instead of having full, end-to-end control of the tech stack.
The responsibility of CISOs is to ask: ‘Is the technology mature enough that we can deploy it to our employees?’ And if not, they need to explain why. It's more about acting in the interest of the greater good than the competitive advantage your organisation stands to gain.
In many cases, that means assuming the worst.
We’re moving to a zero-trust paradigm, where we place no trust in any of the systems or requests we receive. From there, we evaluate and validate thoroughly before execution.
This stance must be based on a level of healthy skepticism, but also on a deep understanding of the technology itself. Security practitioners must have a fundamental understanding of what is and isn’t possible with AI.
This becomes especially important when considering that only 45% expect to create dedicated AI security roles, and just 32% plan to hire AI security experts.
With multiple risks butting heads with the pressure to adopt AI rapidly, it’s no surprise that less than half of the CISOs we interviewed believe their organisation is well-prepared for the transition to AI.
Only 44% of CISOs agree: My organisation is well prepared for the AI transition.
So what can we do to hold back the tide of possible security breaches? As is usually the case, the solution often begins with people, not technology.
Let's start with something CISOs have been talking about for years: awareness and education. It sounds overly simple, but with new technology comes new risks, and these new risks must be explained.
Of course, education can be a hard sell. You don’t want to go in front of people and say: here’s another boring, two-hour education session, because people generally hate that. But for compliance and security, education is key. We need AI literacy across employees, society, the economy – across the board.
'A good way to improve literacy in the AI era is to let people experiment in safe environments. Rather than have colleagues feed sensitive data to public models, they should be given access to well-shielded environments where they can gain their own hands-on experience'.
The second part of the puzzle is about getting processes and technologies under control. That means working on internal governance programmes and frameworks built to handle this new technology, as well as using controllable, open-source, and explainable AI models wherever possible.
Our recommendations here are clearly outlined in our responsible AI framework, but in the main, we’d suggest that CISOs exercise caution, control, and patience above all else.
The following eight steps provide a rock-solid starting point for your secure AI strategy:
The good news is that there’s already evidence of this groundwork in action. In our study, 80% said they planned to have policies regarding AI security issues in place in the next 24 months, while 95% plan to educate their entire employee base on AI security.
Ultimately, while it may be impossible to keep every AI risk under control at all times, it’s important to stay pragmatic in your approach. Combining the strengths of people and machines – and maintaining human oversight – is often the key to secure AI use.
Zühlke is already helping organisations across industries walk this complex tightrope – providing a guiding hand in translating proofs-of-concept tools into scalable, secure solutions.
