CISOs have a tough job. They’re trying to protect their organizations from more and more advanced threats. And with AI risks on the rise, it's only going to get harder.

The thing is, AI is now being used by both sides — attackers and defenders. But here's the catch: a lot of experts think the advantage is shifting toward the attackers, at least for now. In fact, the UK’s National Cyber Security Centre put out a report earlier this year warning that AI is likely to make ransomware attacks even worse worldwide.

So, with all this in mind, CISOs really need to start asking themselves some tough questions about AI and what it means for cybersecurity. I’ve come up with eight key questions I think you should be thinking about right now.

1. How is AI changing the way cyberattacks happen?

It’s really important for CISOs to understand how hackers can use AI to make attacks quicker, smarter, and more dangerous. With AI, attackers can automate what they do, avoid regular security systems, and adjust their tactics in real-time.

This means attacks can develop faster than most security tools can handle. Because of that, companies need to assume a breach will happen at some point. The best way to stay safe is to set up proactive, automated security measures that can catch a breach early and stop it from spreading across the network.

2. Why is basic cyber hygiene so important for defending against AI attacks?

Even though AI is powerful, basic cyber hygiene is still the foundation of any good cybersecurity defense. CISOs need to focus on things like patch management, training employees, and making sure systems are securely set up to lower the risk of AI-driven attacks.

It’s also important to remember that the best approach to cybersecurity is a layered one. There isn’t a single tool or technology that can guarantee complete security. Companies need to have multiple layers of defense, and it all starts with strong basic cyber hygiene.

3. Are our cybersecurity strategies keeping up with the rise of AI-generated attacks?

It's important to understand that cyberattacks are constantly evolving, not just happening all at once.

CISOs need to make sure their cybersecurity plans can adapt and respond to new threats, especially those using AI. That’s why modern approaches like Zero Trust focus on creating systems that can handle attacks, instead of relying on the old idea that you can block every single breach. It’s about being prepared to deal with attacks when they happen, not just trying to prevent them.

4. How can zero-trust security principles help reduce the impact of AI risks?

With AI in the mix, the ways hackers can attack are growing, and they’re getting more advanced and specific in their tactics. The old methods of detecting, responding to, and recovering from attacks just aren’t enough anymore.

Instead of focusing only on cybersecurity, companies should be thinking about cyber resilience. That means not just trying to stop attacks but being able to survive them and keep things running.

Using a zero-trust security model can help by shrinking the attack surface and limiting how far hackers can move within a network. CISOs should take a close look at how well Zero Trust fits into their overall security strategy.

5. Are we investing in the right areas to stay safe?

CISOs need to be careful not to fall into the trap of spending too much on things that give quick results but don’t tackle the real risks of AI-powered attacks.

Instead of focusing only on the latest threats, they should think about the overall value of their security strategy. When talking to the board, it’s better to shift from reactive, story-based reports to more data-driven, value-focused ones. It’s important to balance spending on technology, training, and managing risks to build long-term resilience.

6. What steps can we take now to build resilience against AI risks?

With AI-driven attacks becoming more of a real threat, CISOs need to take proactive steps to make their organizations more resilient.

Cyber resilience is crucial today to keep businesses running even during an attack. The best way to build this resilience is by using a zero-trust approach, which is a proven strategy that follows the idea of "never trust, always verify." This helps protect systems by always checking and limiting access to critical data.

7. How can we work together with industry and government partners to tackle AI risks?

With AI taking off in 2023, governments around the world are starting to tackle the risks it brings:

• In October 2023, the Biden Administration issued an Executive Order 14028 on Safe, Secure, and Trustworthy AI. It sets new standards for AI safety and security and aims to protect Americans' privacy.  

• In early November 2023, the UK held an AI Safety Summit, bringing together global cybersecurity leaders, AI experts, and government officials to talk about the risks of AI and how to work together to lessen its impact.

CISOs need to keep an eye on these government actions and possible new AI security mandates. Since AI threats go beyond just one company, CISOs should look for ways to collaborate with industry peers, government agencies, and researchers. Sharing information and best practices can help everyone better defend against AI-driven attacks.

8. How can we create a culture of innovation and flexibility in our approach to cybersecurity?

Cybersecurity isn't just something for CISOs and their teams to worry about — it's something everyone in the organization should be focused on.

With AI, it's going to be easier than ever for bad actors to carry out social engineering attacks. That’s why CISOs should team up with leaders across the organization to build a culture of security awareness and ongoing learning. They can help create open communication about cybersecurity between different teams and encourage everyone to work together on security initiatives.

Be prepared for AI changes to cybersecurity

By asking the right questions and taking proactive steps to tackle the challenges that come with AI-driven cyber threats, CISOs can make their organizations stronger and reduce the risks from these rapidly evolving attacks.