编者按: Several ISACA members attended the 2024 RSA Conference earlier this month in San Francisco, 加州, 并分享了他们在安全行业趋势会议上的主要收获, 尤其是考虑到人工智能风险加剧的情况, 现在加入ISACA. 下面是他们的见解. For more AI resources from ISACA, including information on new ISACA training courses in AI, 访问 yfcyms.salvationsoaps.com/ai. 有关即将举行的ISACA会议的信息, 包括2024 GRC会议和ISACA欧洲会议, 访问 yfcyms.salvationsoaps.com/training-and-events/conferences.
罗伯·克莱德,前ISACA董事会主席
Even more vendors than last year are touting how they use artificial intelligence in their products. 例如, I saw various products that offer a plain English dialogue via generative AI to ask questions about security events or posture, 利用人工智能分析安全事件和安全态势, 或者自动检测带有敏感数据的文件和电子邮件. 在某些情况下, the companies are born in AI and have developed cybersecurity solutions from scratch using AI. 在大多数情况下,人工智能是具有不同程度整合和成功的补强工具. 在某些情况下,很明显 声称的人工智能的使用大多是口头上的.
Organizations are looking to move beyond just incident management and toward cyber resilience. 例如, even in the face of a persistent ransomware attack the organization’s operations will remain up and running. This would alleviate many of the incidents we have seen with organizations being down for days or weeks at a time. 即使一个组织可能有数据和系统备份, 通常需要很长时间才能恢复, and victims sometimes pay the ransom in an effort to return to normal operations faster.
Varun普拉萨德, Senior Manager, BDO USA and ISACA Emerging Trends Working Group Member
The recently concluded RSA conference in San Francisco had a landmark year; as one would expect this was the year AI took center stage and was the focus of virtually every presentation, 小组讨论及展览产品. The themes around which these conversations were centered were the use of AI in cyber-defense techniques to improve our cybersecurity posture and AI governance, 风险与安全.
One of my biggest takeaways from a panel discussion around AI was that it was important not to get caught up in micro-level risks like AI use policy or specific LLM-focused risks, but rather look at the big picture and tackle the risks posed by the development and use of AI at a broader macro level. The key enterprise-level AI risks could be categorized into three buckets - data risks (data management for training and fine tuning); AI development risks (algorithmic risks, development and deployment of models) and AI operations risks (monitoring for accuracy, 偏置或漂移). This concept really resonated with me as it is crucial for an organization to identify the top risks related to these areas, develop a framework and implement the relevant processes and controls to help meet the organization’s AI-related objectives, 提高人工智能系统的安全性和可信度.
另外, 还有一些会议围绕着云安全的传统主题, 容器和应用程序安全性. 主要的信息是,由于当前的地缘政治气候, 我们看到威胁行为者在增加. So, it was important to assume “breach mentality” and aggressively manage the attack surface, 修补系统并认识到基本的社会工程策略.
是克利夫特, Principal Executive Advisor, Cyber Risk Engineering, Liberty Mutual Insurance
RSA大会最大的收获可能是无处不在的“人工智能”.来自新兴人工智能技术的场外会议, 关于治理和最佳实践的讨论, to so many of the vendors on the expo floor highlighting how their systems use AI capabilities, 到处都是. 但我们是否对人工智能有一个完整的理解或描述? What used to be the stuff of science fiction is now a label applied to everything from statistics and machine learning to neural networks and large language models. 在未来,所有这些将在工具和技术上有所区别? 我们如何保护这些处于婴儿期的特定类型的系统, 并针对不同类型的型号具有不同的要求, 什么样的妥协会特别影响到这些?
Materiality is the new word on the street regarding incidents and regulatory compliance. 什么是物质的,什么不是? We seem to be moving away from what was originally only risk quantification in methodologies like FAIR, 更广泛地理解网络事件的影响. 这是一件好事, 虽然一开始事件可能看起来不重要,但要确定这一点, 若干年后仍有可能产生影响. 律师和网络领袖们都讨论了 证券交易委员会要求的影响, and discussions were prevalent about the concerns of cyber leaders for the personal legal ramifications of cyber incidents, 妥协的长期影响, 董事会需要考虑到将首席信息安全官纳入董事会的既得利益&O保险,以及在董事会桌上. With situations looming that could lead to incarceration or crippling fines to individuals involved in cyber incidents, 会议上到处都是这些讨论, 在场外也是如此.
Another thing to note was the shrinking of some vendor spaces at the event and more offsite events from vendors. 围绕网络产品的营销预算似乎正在缩减, 这可能意味着网络预算的缩减, 或者只是网络服务提供商的收缩, 这是一段时间以来一直期待发生的事情.
流行Koanda, CISA, CISM
我从RSA大会上得到的收获是多方面的,深刻的见解. 主题和小组成员的质量给我留下了深刻的印象. 会话, 尤其是关于隐私的过去和现在, 信息量惊人, 数据收集问题已经存在了几十年, 因此,隐私成为一个长期存在的问题. 1987年的CIA三合会凸显了解决这些隐私问题的迫切需要.
人工智能在讨论中的普及尤其引人注目, 与人工智能相关的话题占会议的85%. This underscored the growing significance of AI and the urgent need to understand and mitigate its potential threats to privacy. 作为RSA的新人, this focus on AI was eye-opening and emphasized the importance of staying informed about advancements in AI technology.
另外, 我对出席会议的形形色色的代表感到高兴, 有色人种和女性的大量参与. Organizations like WiCyS and Cyversity are making notable strides in promoting diversity and inclusion within the tech industry.
王伟基,ISACA新兴趋势工作组成员
The emerging trend of AI brings great efficiencies while also introducing new security challenges (先进ransomware, deepfakes,针对性攻击,机器人等.) The AI in this wave has three focuses: text to text, text to image and text to video. You can see lots of combinations when the text to text focus crosses over each of the key areas of security and compliance such as IAM, 安全操作, 等., while we also see some companies leverage multiple detection models that cover all perspectives. 从AI层的角度来看, most of the products are at the AI application layers while a few also cover the cybersecurity and compliance risks at the data infrastructure and model layers. 请与我联系 LinkedIn 我们可以进一步讨论.
