Jason Keirstead
6 min readSecurity
Generative AI in Security: Should it just be an accelerant, or also a paradigm shifter?
- As I survey the cybersecurity landscape and how Generative AI has been applied to it, there is the same trend I see happening over and over – one of acceleration.
- Generative AI is nearly always being used to take an existing process that is bottlenecked by humans, and supercharge it, using AI and automation to do what humans used to have to do.
- There are a few things that are nice about this approach, from the point-of-view of a cybersecurity solution provider.
- It is easy to design and build, because I am a subject matter expert in my domain, and often have customers (and data) that directly align to it. Thus, when trying to build an accelerator, it makes it easier to train my models and/or engineer my prompts.
- It is easy to add-on to my existing solution, and as a result, does not disrupt my existing revenue stream, which is modeled upon and based on the current SOC paradigm we have operated under for the past 30 years. If this whole GenAI thing turns out to be a flash-in-the-pan, my existing product and revenue streams still exist.
- It is simple to map to existing metrics that are widely accepted. If applying my GenAI system reduces your MTTD, MTTR, MTTP, or cost per incident – CISOs understand those value propositions, and security teams can understand them as well. I don’t need to create a new one, and this makes my life so much easier.
- Something about this had been bothering me. If all we are doing with GenAI in cybersecurity is taking the existing way we do things and making them faster, is that really the best approach?
- There is a famous Henry Ford quote surrounding innovation and how it happens: “If I had asked people what they wanted, they would have said faster horses”.
- Beneath this famous quote lies a deep message: that it is extremely difficult for the average person – even when they are a subject matter expert – to foresee the impact of a paradigm-shifting innovation like GenAI may have.
Thinking Larger
As builders and practitioners, simply taking what exists and making it faster is not enough. We need to be thinking larger, much larger. What do I mean? Well, here are a few examples that come to top of mind (though it does not stop here)...
- Does the way we map the NIST CSF to our SOC operations still make sense? Or are we now perhaps architecting SOCs entirely wrong? If we built things from the ground-up today would we still do them this same way, or would we change things to make GenAI be able to operate at scale?
- Are there things that GenAI can allow us to do to reduce organizational risk, that were simply never being done before at all, either because they were too difficult for humans or were never thought achievable at scale?
- Speaking of organizational risk - we should all expect increased scrutiny of the costs of risk reduction efforts after the recent events involving Crowdstrike. As such, are there things we can be doing to more effectively quantify our risk and map it to lines of business?
- Part 2 of this series is going to dive deeper into how Simbian is thinking through some of these big questions, and start to explore what can be done to answer them.