Ahead of an upcoming webinar on the topic, Tracy Reinhold, CSO at Everbridge evaluates the maturity of AI and why a quality control component is important at this stage of development.
“If your security programme is not ready for AI, then you should really focus on getting it there,” Everbridge’s CSO Tracy Reinhold says.
A lot of people are shying away from AI because they don’t understand it, or they are intimidated by the technology, or they are concerned with the veracity of the information that it generates, he says.
“Those are all legitimate concerns, but what I would say is, if you are a security manager and you are considering AI, just like anything else, you must do your due diligence.”
AI is a great baseline for gaining knowledge and intelligence, says Tracy, but it must be taken with the understanding that you’re going to have to do some quality control work to make sure that you are getting the right information.
“Security programmes are limited to AI only by their imagination,” says Tracy.
“An easy way to start would be to ask it, what are the board metrics for a physical security programme? This will give you a plethora of information and then you continue to refine your prompts to get what you want.
Maybe you’re a company that has one location, so you want to look at how you would use a physical security integration management system along with controls inside of your facility.
You might ask, how would I use that in connection with external threats facing my operation? And then you may want to look at and say, “I have four locations, or I am a multinational corporation with operations all over the globe – what are the metrics that would be appropriate in this region versus this region?”
So that gives you an opportunity to really experiment with it.
Don’t be afraid of it.
Don’t discard it if you don’t get the answer that you want, because it is an iterative process, and that gives you the opportunity to really learn.”
When getting started, there are two main things you want to think about, says Tracy.
“First, what is my core business? Not the role of security, but what is the core business is that you’re trying to protect?
“Sit down with your software developers or your software engineers who have a better understanding of it. Embrace your ignorance, don’t assume you know when there are people in your organisation who are better versed in AI.
“Leverage those relationships and use them to guide you to the right solution.
“There’s no one size fits all. If you’re looking at potential disruptions to your network, you may want to look at an AI that can provide predictive analysis on potential introductions of malware into your system and how it’s how it’s being conducted.”
AI should be leveraged just like any other resource in the security world that helps you better protect the business, add Tracy.
“It’s just another tool in your toolbox or a weapon in your arsenal that allows you to better serve the company that you are charged with protecting.”
“We had the evolution of corporate security from guards and gates to the utilisation of technology – if you think about things like destination elevators and turnstiles and how they have managed to increase our ability for access control, the evolution of technology should be embraced by corporate security and should also be used in a way that corporate security helps to inform the utilisation of technology.
“We are the practitioners in this space, we know what we’re supposed to be doing and if we can help design technology that enables us to do that more effectively and efficiently then we have a responsibility to do that. “
Tracy admits, “I am not an expert in AI. I use it. I use it in my business, and I use it in my personal life and I use it because I’m I’ve been a little bit enamoured with technology.
“And I love to learn. I think that’s the best thing that AI can do for us as corporate security people – help us accelerate our learning, so that we can protect our organisations more efficiently.”
Tracy continues, “you could ask AI to design a visitor management system for a single location and it will put together a list of things that you should be aware of and then you can use that to start to create new visitor management policy for your company.
“Same thing for access control. Same thing for cyber defence. Again, you’re only limited by your imagination. So, take advantage. It’s a resource that you can use and learn from.
AI allows you to break down the barrier between engineering and security, says Tracy, explaining further, “engineers and security professionals should be joined at the hip and any company because when you look at a holistic strategy to protect the company, the silos are what creates risk and vulnerability.
“So, by connecting the tissue of the company, you’re alleviating that opportunity for threat actors.”
Despite AI’s many advantages, Tracy is keen to go back to his earlier point about exercising caution in its use.
“I think AI is ready to provide a supporting role in security, but I would not abdicate your responsibilities in favour of AI.
“Use it as a tool and a resource but do not use it as the end all that will allow you to do things that you shouldn’t have done without verifying.”
The evolution of AI is happening so quickly and regulation is key.
“A lot of companies or countries around the world are establishing new laws and regulations about what they call responsible use of AI.
“If your security programme use utilises intelligence, AI is a great way to aggregate disparate sources of information and then deconflict that intelligence to meaningful work but you still want to have that quality control, that human analyst’s touch at the very end just to be sure,” warns Tracy.
“The best and the worst thing about intelligence is that there are massive amounts of data out there to the point where you can’t make an informed decision – you’ve heard the term, “paralysis by analysis”.
AI can help you by putting in specific parameters about what it is you want to know.
Let’s say for example, that you’re a company that is in a retail space, and you want to know about specific threats that relate to your geographic area of store locations.
You can use technology to gather that information but then deconflict it so that it only relates to the areas in which you have concern.
The other thing that AI can do is create intelligence reports based on facts.
However, you must make sure that you have a QC component in the intelligence world that gives you the final book before you action it.”
Keep your eyes and peeled for Everbridge’s webinar ‘AI and The Future of Corporate Security’, coming soon on SJUK.
This article was originally published in the March Edition of Security Journal United Kingdom. To read your FREE digital edition, click here.