Cybersecurity To Protect From Malicious AI: Will Sweeney On How To Develop An Effective Product Security Strategy

An Interview With David Leichner

Be aware of deep fakes. Recently, AI has been able to produce very convincing sounds, images, and videos to accurately pose as real people (this is called a deep fake), so keeping employees abreast of this growing threat is becoming increasingly important. Make sure to have protocols in place to ensure that messages coming through are actually from who they say they are.

Cyber threats are evolving, with malicious AI posing a significant risk to the digital infrastructure of organizations. How can Chief Product Security Officers (CPSOs) effectively protect their products and their organizations against these AI-driven cyber threats? What should be their primary areas of focus when developing a product security strategy to ensure the security and integrity of their organization’s products? This series will delve into the role of CPSOs in crafting robust product security strategies to safeguard against malicious AI. We will explore their challenges, successes, and insights into how to maintain the integrity and security of their products in this rapidly changing cyber landscape. As a part of this series, I had the pleasure of interviewing Will Sweeney.

Mr. Sweeney is a skilled and experienced consultant, auditor, and project manager who demonstrates expertise in information systems controls, IT audit and assurance, risk management, information assurance policies and procedures, and IT governance. His consulting engagements focus on improving the security posture of client systems to protect sensitive data by complying with information security requirements such as the National Institute of Standards and Technology (NIST) guidelines, Sarbanes Oxley (SOX), International Organization for Standardization (ISO) 27001, and privacy regulations such as the EU General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). Mr. Sweeney is adept at managing consulting engagements, including risk analysis, scope setting, testing and evaluation, client and leadership relations, and report writing.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I was born in Ireland and migrated to the United States in the late 80s. My father, also William, came to the US with a dream of creating a better future for his family. When we first arrived, my dad worked for a plumber and learned the trade. Shortly after, he decided to start his own plumbing business. After taking out two advertisements in local circulars, he set out to build our family business, which he successfully ran for forty years. I was fortunate to grow up with parents who loved me deeply, wanted us to prosper, and gave us the opportunities they never had to learn and build a career. I also had the good fortune of learning how to run a business (and how to navigate the highs and lows) up close and personal.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I was inspired to pursue a career in cybersecurity at a very early age. I began by learning as much as I could about computers, web development, and networking. I had the opportunity to build a website for my high school when I was just a teenager, and through that process, I started to work with the high school’s IT team to understand how all of the systems were networked and protected. From there, I did thorough “testing” of the system controls to make sure they were operating correctly.

Can you share the most interesting story that happened to you since you began this fascinating career?

There are so many interesting stories! In my first career out of college as an information security auditor, I can recall sitting in federal office buildings delivering the results of information security audits to Inspector Generals and Information Security Officers, which was a very unique experience at such an early age!

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

I’ve learned a lot about leadership over the past several years, and I’m lucky to have great mentors as well as a great team to work with. If I were to sum all of that up into three character traits, I would say:

1.) Being resilient and consistent

Anyone can be excited about something for a short period of time, or even for a long period of time. True leadership, however, is being able to stay engaged with your business day in and day out, even through adversity. You have to be resilient to navigate difficult times, and you have to be consistent in your messaging with your team and with your customers.

2.) Understand where someone is coming from first before you try to get them to go where you want them to go

Everyone is dealing with challenges, both personally and professionally. As a leader, you have to build rapport, provide mentorship, and know how others work best and what gets them excited. It’s not fair to expect someone to be something they are not — or that they don’t want to be. You must get to know the people you are leading, how they are motivated, and what things they may be dealing with that are impacting their ability to succeed. Your team’s success is your success, and vice versa. Invest in your people!

3.) Be willing to contribute to what your business needs, what your customers need, and what your team needs

I truly believe that leaders should lead by example. Be willing to contribute in any way that your business, customers, and teams need you to. Stay humble and available.

Are you working on any exciting new projects now? How do you think that will help people?

We are working on a very exciting project rolling out a global data security and privacy program for a large enterprise, which is a diverse and complicated company with multiple entities and varying levels of maturity. I think this project will help people understand the importance of data security and privacy and how the controls the business has in place secures and safeguards data within the enterprise. Once they have a shared perspective of that importance, it will help enable the organization to do their job more effectively and securely.

Can you briefly explain the role of a CPSO and its significance in the context of cybersecurity and product security?

A CSPO, or Chief Product Security Officer, generally oversees the security and data privacy of an organization’s software or other digital products that contain sensitive information or code. CSPOs manage digital product security in a number of ways, from implementing cybersecurity programs to actively addressing threats when they occur. This role is becoming increasingly important with the rise of new cybersecurity threats and state privacy legislation.

How does the rise of AI and machine learning (ML) impact the product security landscape? What are some unique challenges that CPSOs face when dealing with AI-powered systems?

The rise of AI and machine learning poses unique challenges in the product security landscape because these technologies don’t work on a 9 to 5 schedule and are constantly learning and adapting to find new ways to breach cybersecurity safeguards. This means that counter measures need to be equally, if not more, relentless than the systems used by malicious hackers. This makes the job of CPSOs and specialized cybersecurity consultants more important than ever. Professionals in this industry need to continuously stay on top of trends in order to identify and address new threats.

Can you share an example of a real-world incident or threat related to malicious AI that you’ve encountered, and how you responded to it? What lessons did you learn from that experience?

Over Christmas and New Years, we dealt with a security incident where one of our clients had been breached. The breach led to the attacker gaining direct access to an endpoint in the client’s environment which was being used to call home to a command and control center of the attacker. We quickly initiated incident response procedures directly with the client, staffing our incident commander to deal with the matter and engaging with other experts both inside and outside our team. We were able to learn a lot about the attacker and the attack type, but more importantly, we were able to learn how our team responded in those types of scenarios. This led to us being able to better prepare for future events and understand how to get our team and our client on the same page and ready to respond.

What advice do you have for organizations that are in the early stages of developing a product security strategy for AI systems? What are the key principles or guiding principles they should follow?

First, it’s important to ensure that you have policies and cybersecurity protocols in place that take AI into consideration. Companies and organizations need to make this a core part of employee security awareness training. External malicious AI attacks present the most obvious challenge, but if you or your employees are using AI tools internally, remember that information you enter into these tools may be added to their large language model (LLM), which means your inputs could show up in response to other people’s prompts. This is an important data privacy consideration, so it’s essential to ensure staff are thoroughly trained on best-practices when using AI, especially if your company handles sensitive information. Additionally, consider implementing an AIOps platform. Artificial intelligence operations (AIOps) tools run algorithms over emails reported as spam and other malicious activities to automate cybersecurity monitoring. This can help protect your company from future cyber attacks. In a nutshell, the key principles you should follow are awareness and preparedness. Staying up-to-date with new threats and technology is crucial, especially with how quickly things are evolving.

How important is collaboration between CPSOs and other stakeholders, such as software engineers, data scientists, and ethical hackers, in ensuring the security of products? How do you foster this collaboration effectively?

It’s critically important, but collaboration has to go beyond software engineers, data scientists, and ethical hackers. The entire organization (or anyone at your company with access to the internet, which is likely everyone) needs to be on the same page when it comes to protecting against threats. Malicious AI can target anybody through adaptive malware, phishing scams, and more. That means collaboration and awareness training is important across the entire organization, from the CEO to the interns. To foster effective collaboration, it’s important to try and distill information down in digestible, easy-to-understand formats. Complicated tech jargon may be overwhelming to certain staff members, and this can cause them to disengage and not pay attention to what you’re saying. Try to educate them in ways that help them easily understand, recognize, and report threats as they occur.

Ok, thank you. Here is the main question of our interview. What are the “5 Things We Must Do To Protect From AI-Powered Cyberattacks” and why?

1 . Implement basic security controls. By implementing basic security controls based on a well-established framework (ISO/NIST/CIS), we can avoid a lot of surface level attacks that companies fall victim to. Some of these basic controls should include firewalls and password encryption. Being proactive in your security strategy is a great first line of defense against AI-powered cyberattacks.

2 . Data privacy. Today, taking steps to protect your data is more important than ever. From encrypting files to managing access to sensitive information, every company needs to have safeguards in place to make sure their data is protected. Unfortunately, many people don’t realize how valuable their data actually is and how far malicious actors are willing to go in order to steal it.

3 . Be aware of deep fakes. Recently, AI has been able to produce very convincing sounds, images, and videos to accurately pose as real people (this is called a deep fake), so keeping employees abreast of this growing threat is becoming increasingly important. Make sure to have protocols in place to ensure that messages coming through are actually from who they say they are.

4 . Know your customer “KYC” enhancements. With deep fakes and other scams on the rise, it’s important to implement KYC enhancements to mitigate the risk of a cybersecurity breach. New adaptive AI technology makes it easier for hackers to pose as a customer, giving them access to your sensitive information. Make sure to put safeguards in place to mitigate exposure to this risk.

5 . Update and patch your systems. The AI landscape is constantly evolving, so staying ahead of the curve is the best way to prevent issues from occurring. Always make sure to keep your cybersecurity safeguards up-to-date to secure potential access points for hackers and malicious AI. Remember, you have to be proactive. Things are evolving too quickly to sit idly, and in the world of cybersecurity, the best offense often looks like active defense.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

Be more conscious about what you’re doing with your data and what you’re sharing online! People tend to underestimate how useful their data is and how susceptible it is to attack. They also underestimate how organizations are using their data to target and influence their purchasing decisions and their thinking. Read the privacy notices! Turn off the tracking! Browse anonymously! In other words, try not to blindly share information about yourself online. Instead, take an informed approach and err on the side of caution.

How can our readers further follow your work online?

You can follow me on LinkedIn at https://www.linkedin.com/in/will-sweeney/ and on our website at https://zaviant.com.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!