Cybersecurity Teams Left Out of AI Decisions, ISACA Finds

Cybersecurity teams are being excluded from crucial decisions about artificial intelligence implementation, according to research published by ISACA, the global professional association that provides governance frameworks and security certifications.

The study of 1,800 cybersecurity professionals reveals that only 35% of security teams are involved in developing policies for AI technology use within their organisations. A further 45% report having no involvement in the development, onboarding, or implementation of AI solutions.

Security operations focus

The research indicates that organisations are primarily deploying AI within security operations for specific use cases. Twenty-eight per cent of respondents report using AI for threat detection and response automation, while 27% utilise it for endpoint security - the protection of devices connecting to networks. A further 24% employ AI to automate routine security tasks, with 13% focusing on fraud detection.

Jon Brandt, Director of Professional Practices and Innovation at ISACA, says: “In light of cybersecurity staffing issues and increased stress among professionals in the face of a complex threat landscape, AI's potential to automate and streamline certain tasks and lighten workloads is certainly worth exploring.”

However, Brandt emphasises a broader concern: “Cybersecurity leaders cannot singularly focus on AI's role in security operations. It is imperative that the security function be involved in the development, onboarding and implementation of any AI solution within their enterprise – including existing products that later receive AI capabilities.”

Regulatory preparation

The findings emerge as organisations prepare for new AI regulations. The European Union AI Act, which takes effect from August 2026, will implement requirements for AI systems used within the EU and prohibit certain applications of the technology.

To support organisations in meeting these requirements, ISACA recommends implementing audit trails and traceability measures. The organisation advises companies to adapt existing cybersecurity and privacy programmes and designate an AI lead responsible for monitoring AI tool usage across the enterprise.

ISACA's research coincides with the release of new guidance on authentication systems that use AI. These systems can adapt to user behaviour patterns to enhance security but face challenges including potential manipulation through adversarial attacks - where malicious inputs are designed to fool AI systems.

The report highlights additional considerations for organisations implementing generative AI policies. These include defining acceptable use terms and ensuring compliance requirements are met. The guidance comes as businesses grapple with the integration of large language models and neural networks into their operations.

ISACA, which serves 180,000 members across 188 countries, is expanding its educational programmes in response to the changing landscape. The organisation has launched new courses focusing on machine learning for business enablement and neural networks. A new certification, the Certified Cybersecurity Operations Analyst, will launch in the first quarter of 2025.

The research, sponsored by Adobe, the digital experience software provider, forms part of ISACA's annual State of Cybersecurity survey report. The survey examines trends in the cybersecurity workforce and threat landscape.

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand