The state of trust in an AI world: VantaCon UK recap

At our first-ever VantaCon UK last month, we had the opportunity to bring together a panel of security and compliance experts to share their insights and expert analysis on key findings from Vanta’s State of Trust Report. 

‍

In this panel session, Colette Hanley, VP of Technology Risk at checkout.com. John Hetherton, Head of Compliance at Evervault, and Michael Pearce, Information Security & Compliance Professional, discuss everything from working with tighter resources to managing compliance across multiple jurisdictions, and of course, generative AI. 

‍

<div style="padding:56.25% 0 0 0;position:relative;"><iframe src="https://player.vimeo.com/video/947755938?h=d3dbf31e0c&amp;badge=0&amp;autopause=0&amp;player_id=0&amp;app_id=58479" frameborder="0" allow="autoplay; fullscreen; picture-in-picture; clipboard-write" style="position:absolute;top:0;left:0;width:100%;height:100%;" title=""></iframe></div><script src="https://player.vimeo.com/api/player.js"></script>

‍

Below are excerpts from the conversation moderated by Vanta’s Head of Content, Jenny Thai,  lightly edited and condensed for clarity. 

‍

‍

More data, more risk to manage

Jenny: One of the key findings from the State of Trust is that two-thirds (66%) of business and IT leaders in the UK say that their business requires improved security and compliance measures. Is this surprising for any of you? In your view, what are the biggest areas of risk facing UK businesses? Mike, I know you have a lot of thoughts on this one, so we'll start with you.

‍

Michael: I think with the huge increase in accessibility and visibility of data in general, the amount of data that companies collect, [and] the awareness of individual data as well, I'm not really surprised that this is top of mind.

‍

John: From a risk perspective, we’re seeing a lot more security-related issues becoming more mainstream. The board knows about security now. So I think there's quite a lot of things that people need to understand and get right from the outset. People are seeing ransomware; it's still very prevalent. With things like email account compromise, protecting identity becomes critical. And the normal kind of things that people need to look after — with AI, they're going to become even more important. Once you understand the risk of where you are, [you can] put controls in to mitigate those and then it's moving forward really from there.

‍

‍

Doing more with less 

Jenny: In addition to this urgency among business leaders to improve security, resources are also getting tighter, with only 9% of IT budgets dedicated to security. How are you seeing these resource constraints play out on the ground? Colette, let’s start with you. 

‍

Colette: I think we're seeing a lot of negative impact. We're seeing our workforce becoming more tired, doing more with less or being asked to. We are seeing projects that are at risk of not being completed properly as well as a bit of short-termism in terms of the goals we set.

‍

However, I think on the whole it can be a positive driver for security professionals. We're used to delivering in a context, and if a budget constraint is our context, well then we get on with it. One of the things that we've been doing is looking at all of our suppliers: Do we have duplication there? Are we getting the best terms with them and asking ourselves, how do we move forward with them? 

‍

Another thing is our tooling. Do we have duplicate tooling? Are we using the tools that we've got to the greatest extent of their functionality that we're not exploiting? So I think what we are doing is becoming more inventive. We don't have a choice, and it's driving more discerning decision making in the business. So it's not a complete negative.

‍

John: Yeah, we see it. What we've done is tried to look for efficiencies. Most engineers absolutely hate verifying false positives. So we've gone down the route of trying to embed tooling that looks a bit deeper than just saying this package has a vulnerability. There are some great tools out there that can tell, okay, that package is present, but it's not actually ever called, so you may not have vulnerabilities there. Looking for efficiencies like that tend to help and also make an engineer's life a bit easier so they can concentrate on what they need to concentrate on.

‍

‍

Keeping up with international regulations 

Jenny: Compared to leaders we surveyed in other countries — which includes Australia, France, Germany, and the US — leaders in the UK were more likely to cite keeping up with different regulations as a top concern. In fact, 57% say that staying compliant with international regulations is becoming increasingly difficult. I'm curious why you think that is, and what can businesses do to effectively manage compliance across these multiple jurisdictions? 

‍

Michael: With the introduction of AI, there are lots of new legislation and bills either going through or coming through soon. One of the really important things will be getting full visibility of things like the data that you collect and also reevaluating the things that you've done before. 

‍

If you've got a website with a cookie consent add-on, go back to it and see, well actually with the new changes, is that still compliant? Is that still doing what it should do? Think about all of your other systems and the data that you may have started to collect and get a full picture of all of that. Then try to keep up to date with the changes in your industry and make sure that you know what's there..

‍

Colette: I don't think we're going to see an end to this anytime soon, and it is tough. How do we manage all of these requirements popping up even if we can identify that they're coming? So first of all, make sure that you know what's coming. That means horizon scanning with your legal team. It means working with your CISO network to find out how they're thinking about it and how they're handling implementation. 

‍

The way that I've tended to approach this in the past is to try to make sure that your core principles are the highest bar. We saw this with GDPR. Let's have that as our baseline, and if we have a local or regional requirement that comes in, we can adapt our framework. Or we can risk assess, is this an edge case? Do we actually need to do anything or have we decided the risk for the business is minimal? Another good message here is that regulation on the whole does force us to become better because it means we are looking at our internal operations, we are looking at how we are delivering, and we're holding ourselves to account.

‍

‍

AI risks and opportunities

Jenny: The last thing I wanted to cover with you all today is AI. Our research found that an overwhelming majority (78%) of leaders are already using or planning to use AI or machine learning to detect high risk actions. But at the same time, over half are concerned that secure data management is becoming more challenging with AI adoption. So for this group, what measures do you think security leaders can take to mitigate AI risk? And as the technology continues to evolve, where do you see opportunities to enhance security practices using AI itself? Colette, why don't you take the first question?

‍

Colette: Just like for any new technology, it comes back to good governance. Here what we're looking at is focusing on delivering a trustworthy experience for the end user. As probably everybody here knows, you have to think about security from the start. You have to think about privacy from the start. Security by design, privacy by design. If you are not thinking about the outcome, then you're probably going to end up with a problem. I think a lot of people are on one side of the fence or the other: it's a dystopia or it's progress. And I think the reason for that has a lot to do with some of the early examples where there was very poor governance and we saw bias and discrimination creeping into, for example, some of the facial recognition tech.

‍

Jenny: John, curious where you see some of the opportunities to integrate AI into actually enhancing security practices or compliance management? 

‍

John: The simpler ones are the ones that are getting market penetration now, or copilot style tooling. Query, M365, or specific types of alerts will bring you back enhanced, enriched data around specific events. Copilots for secure software development, once they really start to catch on, I think they'll be pretty significant in terms of application security and good software development practices.

‍

Michael: It sounds a little bit extreme, but I think resistance is futile if members of your team want to use ChatGPT to speed up the work and make them more productive. They'll find a way to do so anyway. Yes, there are risks and there are fears about whether data gets leaked, but I prefer to try and focus on how I can provide guardrails so that they can use those technologies well. Similar to if you’re tenpin bowling, and you put the rails up so you can just bowl without worrying about the ball going in the gutter, there are technical things that you may put in place — things like data loss prevention mechanisms, or mechanisms for sharing data securely. If you provide the tools that are specific, like GitHub Copilot for coding versus asking ChatGPT to solve your coding problems, one is more specific and it's less likely to get hallucinations. Sometimes it's worth investing in providing those [specific tools] instead of trying to avoid them being used because you're not ready for them yet.

‍

Want to see more from VantaCon UK? Watch all of the recordings here.