'Really frightening': IT leaders on cybersecurity in the age of AI
'How do you work out what's real and what's not real?'
The already tricky job of prioritising security interventions is being made even more difficult by the arrival of deepfakes and generative AI.
So said interim CIO Ian Golding, speaking on a panel at Computing's IT Leaders Summit last week, who described this development as a "step change".
"I do feel slightly panicky about the need to move more quickly in this potentially dystopian world where our conversation could be filmed and turned into Japanese and be quite convincing," he said.
"That's quite scary. And perhaps I should be careful what I say over the phone, because someone could take that and use your voice as a biometric to get into your bank account. All this is happening around us right now."
However, protections against the new threats cannot come at the expense of the existing ones, he went on.
"We have to get on with all the other stuff to have any chance of being prepared for what comes next."
Joanna Smith, interim CIO at University Hospitals Sussex NHS Foundation Trust, agreed.
"There's the old adage that you don't have to be that sophisticated, just get the basics in first, but that's really frightening. How do you work out what's real and what's not real? Ten years from now, how will that be managed?"
Even getting the basics in place can be tricky in organisations like the NHS, which undergo constant reorganisations and operate on a shoestring budget. Smith mentioned, but did not name, an NHS trust with a 400-strong IT team with no dedicated cybersecurity function: "just one person with a security title way down in the organisation."
To cover many aspects of security, the NHS employs managed services, but Smith said she is concerned about a lack of in-house capacity.
"Our biggest problem is funding, followed very closely by capability. Staff don't necessarily get the investment and training to fully understand the system. The combination of that lack of full understanding, the capability, and the lack of funding makes it very challenging to know what to do with limited money you've got."
Understanding risks
However, she said things are at least starting to change. There is a growing understanding at the executive level of the vital importance of managing cybersecurity, in part because of incidents like the WannaCry ransomware attacks that affected hospitals including Great Ormond Street, and in part "because NHS England mandates it." The topic of risk now comes up in conversation in a way it didn't before.
"I'm getting execs coming to me and saying, we know we need to have assurance but we don't really know what that means. That wasn't happening five years ago."
For Golding, the way to prioritise risks is to start from the basic question: what can we really not afford to lose?
"I'm asking, basically, how would you or your team function if you suddenly have no data or the worst case scenarios play out? It's not a scare tactic. These are actually sensible conversations about risks that may manifest, to which there may be a response. Then, when we accept it could happen, we accept that we need to reduce that risk - or not. We don't need to insure against every possible risk."
Some turn to cyber insurance to manage and mitigate risks, but that's out of the question for organisations like hers, said Smith, explaining that while University Hospitals Sussex NHS Foundation Trust had cyber coverage back in 2013, the qualifying questions asked by the insurance companies are now so onerous that "if we answered them honestly we probably wouldn't qualify."
Given the stringent criteria required by insurers, in the end "you might just be better off bolstering your own defences in the way you want to, for objective reasons," Golding added.