How IT Can Leverage AI to Prevent Major Cybersecurity Incidents
The need for artificial intelligence (AI) in IT governance, risk and compliance (GRC) is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools.
At its recent Ignite 2017 conference, Microsoft revealed its plans for further incorporating artificial intelligence (AI) into its various offerings. For example, the company is embedding AI in Excel to assist with automatic determination of different types of entries – Excel will be able to go beyond automatically differentiating between text and numbers to being able to identify the type of text utilized. Since the program will be able to better identify types of text – for example, differentiating between objects, corporations and people – it also will be able to discover relationships within and between data sets.
A recent report issued by MetricStream found that AI has already taken the step of improving the discovery of data relationships in governance, risk and compliance (GRC). For instance, if a risk assessor creates a link of a risk to a business objective, an auditor identifies a relation of a risk to a control, and an IT security manager identifies a link between a control and an IT asset, an analyst now can evaluate the relationships between IT assets, risks and controls and business objectives. Over time, through machine learning, a GRC system leveraging AI could begin to distinguish these relationships on its own, and thereby augment the discovery of linkages between data objects and make suggestions to human end users of the system. Further, rather than waiting for a human analyst to evaluate the relationships and trends, an AI-backed GRC solution could utilize cognitive computing to continuously analyze the data objects for any changes that could lead to greater risks or control failures – any detected threats to the ability to achieve business objectives would automatically alert human analysts for deeper evaluation.
Within an IT GRC context, the need for AI is growing quickly. As companies expand their digital footprints, cybersecurity vulnerabilities worsen due to an increased amount of data being produced from IT security monitoring and performance tools. In response to this, vendors have begun augmenting threat-monitoring tools with AI; the potential for discovering patterns of security vulnerabilities and IT asset performance can be significantly enhanced by the incorporation of this technology. However, AI still requires human analysis of the reports from those assets. Applying machine learning, GRC solutions can learn from the human analysis and then continuously monitor for the emergence of high-risk vulnerabilities, thus catching them and, through cognitive computing, orchestrate corrective action that can prevent a major incident or failure.
How far is the GRC industry from deploying solutions augmented by AI? Perhaps not that far. According to a recent survey conducted by GARP, a risk professionals association, 15 percent of their risk management organizations are already using AI. However, just 4.6 percent say that it plays a significant role in risk management. Certainly, if compliance and audit professionals were surveyed, the numbers would be even smaller. Still, with new tools emerging from industry giants like Microsoft that enable developers to incorporate AI capabilities into Excel-based solutions, there will be a lot of experimentation over the next two to three years, and GRC solutions that incorporate AI will play a major role in the industry in the near future.
One of the foremost thought leaders in IT, French Caldwell has been decisively shaping the GRC market for the last 12 years.
French is a former Fellow and Vice President at Gartner, where he led their GRC research, including the influential Gartner Magic Quadrant on GRC, as well as research into disruptive technology. He also worked with the White House and U.S. Naval War College in 2002 to develop the Digital Pearl Harbor war game, the first ever strategic assessment of cyber war strategies. In 2012, the game took on a very real form with the strategic attacks on oil and gas infrastructure in Saudi Arabia and Qatar. French is also a retired naval officer and a nuclear submariner. Post-retirement, French served as a diplomatic liaison to NATO for the post-Cold War Congressional Commission on Roles and Missions of the Armed Forces.
As an academic, French served as a Federal Executive Fellow at the Brookings Institution, an Adjunct Fellow at the Center for Strategic and International Studies and an Adjunct Professor and Graduate Research Advisor at the George Washington University School of Engineering Management. He has written a book on international law and has over 400 published research papers.
French has an M.A. in International Economics, Strategy and Diplomacy and a B.S. in Oceanography. 
