The topic of Artificial Intelligence (AI) is picking up a vast amount of momentum and coverage across the security industry. Despite the varying definitions of AI, what industry experts can agree on is that the true potential is still to be realized. Digital transformation is crucial for businesses of the future. Front and center of this discussion is AI, and the endless possibilities toward improvements in efficiency and operational performance.
Is the adoption of AI at the tipping point?
Applications that use AI require a significant amount of computing power, using complex and sophisticated deep learning models, and heavily relying on technologies such as graphic processing units (GPUs). Add to these innovations in big data, improvements in algorithms and, possibly the most important area, finance and investment. We now have businesses, universities and governments - organizations large or small - investing in AI.
Addressing the Risk
As an industry, we are not unique in our desire to adopt AI. But, with huge potential comes the prospect of significant risk, as the very same technologies we rely on to deliver AI have inherent threats that must be addressed. While we have seen thorough research that supports the use of AI as a means of defending against a cyberattack, on the other hand it is well documented how cybercriminals are using AI to fuel their activities.
Security technologies have traditionally been deployed to restrict and/or verify access, authenticate identity, or provide environmental monitoring to detect or deter. This has all been done with the purpose of protecting the assets and facilities of an organization. But today more than ever, these same physical security systems connect to many other business systems such as HVAC, HR or marketing.
Some business stakeholders may have previously seen security as a potential business blocker. However, using security to improve business operations and its agility, adopting innovation that drives growth, it’s easy to see how security is increasingly reframed as a business enabler. Utilized this way, security technologies can provide a competitive advantage.
The potential for security technologies
By leveraging the true potential of security technologies, we can offer greater visibility and business intelligence to an organization. This will allow its stakeholders to make genuine data-driven decisions that can streamline and improve business operations through various forms of optimization.
Taking this conversation into an environment that deals with consumers in a bricks and mortar setting, this newfound information on customers can be invaluable. Information such as people counting, queue management, dwell times, heat mapping and demographic information – all anonymized for statistical use – creates significant business power.
In addition to commercial benefit, AI has a public safety utility, for example the capability to search for lost children. If an individual meets a certain profile, they can be identified and potentially located without the need for viewing hours of recorded video. This is achieved by leveraging the benefits of metadata built into video surveillance cameras.
While this information is being analyzed and processed, organizations can push this information to the cloud or a remote location, such as an alarm or video monitoring center. Together, this will improve the accuracy of detection, accelerate the investigation process and automate a response as needed.
What about the risk?
All of these technologies can provide some form of intelligence to an organization, but they will be limited at best if used in isolation. To add meaningful insight, the technology needs to be connected to other systems where the data is analyzed for a useful outcome.
When we consider how security will impact a cause-and-effect strategy in other building systems such as HVAC, in the most basic form we can control lighting or air-conditioning to help businesses align technologies to their sustainability commitments. However, this is only achievable through connectivity and opening access to allow data transfer through the organization’s security systems.
Security systems have traditionally sat on their own dedicated networks, a closed circuit without the provision for broadcasting that also prevents intrusion and creates near-invulnerable protection. Now, opening access to these devices and transmitting valuable data around networks to stakeholders within an organization creates the potential for risk.
The true value of AI is realized when the information has a positive impact on operational performance, reducing time consuming and mundane tasks and allowing individuals and businesses to focus on more important areas. However, when we begin to connect multiple systems and infrastructures to share data, we open the potential to run into significant security issues.
To reduce the risk, it’s key to understand who has responsibility to ensure end-to-end security. With increasingly interconnected individuals, departments, devices, and technologies, we start to blur the lines of ownership, and this brings risk. When cybersecurity is addressed, it can be challenging to identify responsibility – especially when an organization suffers an attack.
What next?
Organizations shouldn’t panic and apply the handbrake when discussing the adoption of technologies that are marketed as AI. If the product is genuinely based on AI, involving data collection, management and shared access, it’s important to maintain a security approach and carry out cybersecurity due diligence in the same way you would for any other IT, IoT, or OT technology. Doing so, it’s apparent that there’s a security principles gap still to be addressed regarding the design, implementation and management of AI solutions.
New complex tools will also be required to secure AI-based processes to mitigate serious security risks. The AI journey has only just started. We will see vulnerabilities, bugs and vendor mistakes. It’s only natural for technology providers to rush their offering to the market as quickly as possible. This is when they turn R&D investment into revenue. While doing so, it’s key to make sure that cybersecurity hasn’t been an afterthought, as the risk could be far greater than the potential reward.
The evaluation of these technologies may be a new concept, but following traditional best practices still applies. This means evaluating the organization providing the technology, ensuring that they can demonstrate their cyber maturity. Penetration test the technology or at least run vulnerability scan. And evaluate the effectiveness of their security features, as these will also be crucial. It will be equally important to check that the vendor has a strategy in place to support the technology moving forward, including vulnerability management policies, security advisory notifications, and firmware updates.
Finally, examine your own organization’s approach. Check that you currently focus on an up-to-date network security plan and whether you would benefit from moving to a zero trust security model. Of course, it’s also key to consider how your procurement strategy might impact your security policies and how you might need to improve it.