ChatGPT and Generative AI: Balancing Risks and Rewards episode artwork

EPISODE · Aug 2, 2023

ChatGPT and Generative AI: Balancing Risks and Rewards

from Info Risk Today Podcast · host InfoRiskToday.com

Generative AI offers productivity gains, but if deployed without due security precautions, it can also open up the organization to new cybersecurity threats. Rodman Ramezanian discusses the pros and cons of different approaches to exploit generative AI safely from a cybersecurity perspective.

Episode metadata supplied by the publisher feed · Published Aug 2, 2023

Generative AI offers productivity gains, but if deployed without due security precautions, it can also open up the organization to new cybersecurity threats. Rodman Ramezanian discusses the pros and cons of different approaches to exploit generative AI safely from a cybersecurity perspective.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

ChatGPT and Generative AI: Balancing Risks and Rewards

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, I'm Tony Morbin, Chief of News Editor for ISMG. Welcome to our podcast discussion on ChatGPT and generative AI, balancing risks and rewards. It's my great pleasure to welcome to the conversation our subject matter expert, Rodman Ramazanian, Global Threat Lead at SkyHigh Security. Thanks for joining us, Rodman.

Hi, Tony. Thanks for having me. It's great to be here. Excellent.

Now, we've chatted before on some of these issues, so I'm really interested to hear your point of view on this. What are the greatest security concerns that people have when it comes to using generative AI to boost their productivity? And are these concerns justified? Yeah, look, it's a common question.

And I mean, I would start by saying, unless anyone's been living under a rock, you surely have read or heard about ChatGPT by now and many of these AI services. It's just one of many AI-driven chatbots that's attracting millions of active users per day, and it's fueling all sorts of different ideas and use cases from writing technical business papers, inferring insights from data, explaining really complex terms in layman's words, and so much more. So as it stands, the possibilities of ChatGPT are potentially endless, but a lot of the security concerns that come from the fact that AI and, you know, I guess the sheer innovation behind it, it isn't really yet understood all that well. You know, the incredible algorithms and learning models that make it so powerful, they're all abstracted from us.

And, you know, it's almost like having the world's smartest, most resourceful person at your fingertips in this form of a black box that just turns basic requests, you know, in plain English, into really useful answers and outcomes. So, you know, as corporate employees start using AI services like ChatGPT in the workplace, security teams are concerned about where their data may be going, how it's being used in these services, what the service's own models are learning from their sensitive data, and so on. And, you know, if you imagine a hypothetical scenario where an internal engineer, you know, inputs some proprietary data into ChatGPT and it asks the bot to analyze it or carry out some sort of function. Without knowing where the data's gone or how it might be used elsewhere, it can lead, you know, to some pretty dire consequences for both the employee and the company.

So I guess to answer your question, yeah, I would say there is some substance to the concerns lately. Now, that data leakage, you know, some organizations have reacted by completely banning the use of certain generative AI offerings, in particular ChatGPT. So what are the pluses and minuses of taking such a drastic approach? Yeah, you know, honestly, here at SkyHigh Security, where we're asked at least on a daily basis about how, you know, they can reduce some of the risk space or prevent things like data loss from using something, you know, as powerful as ChatGPT.

And I would say that in short, you know, if you've got the right data protections in place, then you should really have your bases covered. Now, obviously, there are no right or wrong approaches to this. As I'm sure you'd agree, a lot of organizations have varying degrees of risk appetite and tolerance. That might be because of their industry vertical or the sensitivity of their work and so on.

And as you've said, a lot of organizations take what some may consider a heavy-handed approach of just outright blocking these kinds of services like ChatGPT. So just completely blocking access to them entirely. And, you know, you've got global companies like Apple and Samsung and Verizon choosing to take this approach. But what tends to happen, you know, going down that path is it drives people to go exploring and testing the boundaries to find alternatives.

And, you know, when you've gone ahead and explicitly blocked all the known AI services that you have some knowledge on, a lot of the unknown ones that you've probably never heard of before or have any understanding of their risks, they're the ones that are left on the table for the users to find instead. And you end up making the situation kind of worse because it forces people to the potentially riskier and, you know, more obscure options that nobody knows anything about or might be flying under the radar. And I'd also say that, you know, with the fast growth of AI that we spoke about, you know, it'll eventually make individually blocking these services pretty difficult. You know, even at SkyHigh, we specialize in this sort of thing, you know, populating web and cloud categories and assessing risks.

They've grown from, you know, 200 or so about a year ago or less than 12 months to over 600 now. And, you know, even just agnostically, whether you're using our risk register or some other third-party service, what's bound to happen is that there'll be some delta between when these things come online to the world and when they're analyzed and categorized by the service. So you ultimately face more risk by taking that blanket block approach. And to be blunt, I think any web proxy worth its weight can implement a standard block rule.

You know, there's nothing special or elegant about that whatsoever. But we mentioned there, obviously, blocking. You brought up the topic of risk registers. So what are some of the tools and approaches that we can, that are being used now to reduce the risks associated with generative AI?

And what are your views on each of these? And why do people find it so hard to tackle the problem anyway? Yeah, I think when you peel it back a layer, it's like what cloud-based emails and cloud infrastructure was back a decade ago or two. At first, the dominant view was, you know, email is far too critical to trust the cloud for.

Or, you know, we just don't need it that badly. Or it's not worth the risk. Or we don't see the business value. But if you imagine, you know, the world we live in right now, we found our emails successful by the cloud or without being able to shift our servers and workloads to the cloud.

It's just, it's not possible, you know. And there's no denying that ChatGPT and all these great generative AI services, you know, as you said, can lead to more productivity, more efficiency in the workplace. But there's this dilemma you mentioned of making sure it's only used securely without compromising corporate data or violating any regulatory policies and so on. And I think that's what makes this issue so hard to tackle with just a blanket approach.

You know, you've already mentioned what approach is just to explicitly block. Some organizations see value in permitting the use of AI chatbots, but they want to ensure that the data remains secure. And there's a couple of ways of seeing that proverbial cat today. One option is to use activity controls to permit an AI-based application like ChatGPT, but to prevent certain activities like uploading files or sending prompts even beyond a certain amount of characters.

Another recommendation is to coach users rather than just plainly saying, nope, you can't go there. So there are a number of different ways we can help organizations do that. And specifically at SkyHigh, what's your approach to help your customers get the benefits of generative AI and, as you say, retain control over their data or at the very least mitigate these risks? And also your views on walled garden approaches and the various options that there are.

You know, what would SkyHigh recommend? Yeah, well, I think the reality is that with generative AI and these chatbots being such an exciting and popular domain and, you know, adoptions and keep on growing in incredible rates, you know, to put into perspective, already, according to our global telemetry from the first half of this year alone, close to a million of our users have accessed ChatGPT through corporate infrastructures. Now, if you are a SkyHigh customer, you know, the good news is you already have the tools you need. You can use our categories.

You can use our coaching pages to create a really effective tailored education and coaching for the users. And they're really simple to enable. I suspect most people know about those already. But I'd also say that for us at SkyHigh, you know, our ethos as a company is to protect the world's data.

And I would say that with that focus specifically on data protection, we're enabling organizations to safely use and embrace these innovative technologies without compromising data security or opening the floodgates to risk. And, you know, I mentioned an example earlier that we can limit activities like uploading or submitting certain texts into these services. We can do that based on keywords, like if you've got secret patents or code words or project names, character limits. So that example we spoke about earlier about an internal engineer could be pasting source code or, you know, other proprietary stuff, regulatory checks, like if somebody pasting credit card details and financial records and so on.

We can even forcibly disable services like ChatGPT from remembering chat histories and, you know, being able to train on its data because there are disclaimers, of course, that say, you know, if you tick this box, you agree that we can retain your past submissions and requests and we can learn off that. We can even force these services to disable that feature entirely. So, again, there are a number of different ways that we at SkyHigh can help organizations do that. But I think the key is rather than, you know, taking that one size fits all approach of just blocking something or banning users from going there.

I think coaching them and providing them secure ways of adopting these things is what's gonna make the most difference. And we've been talking really there about the risks from the inadvertent risks from users. We're not really covered the risk already reality of attackers using generative AI, whether that's to search for vulnerabilities, write malware code or convincing lures, whatever they might be doing with AI. How do we deal with this new we rush into explicitly blocking things and taking those more extreme approaches of, you know, I think we should work towards adopting a mature data protection regime.

And I say that because it's a company's data that's arguably more important than anything else, you know, and when you've got these new and exciting services and apps coming online that, you know, to your point earlier, offer really great business productivity and efficiency, you absolutely should be able to embrace these kinds of things and enable secure usage without putting your business operations at risk. You know, I think that old adage of, you know, security should be an enabler and not an inhibitor. I think taking a more data-centric approach or protecting data will go a long way to tackling a lot of the concerns we spoke about today because if you're focusing on protecting your data, it really doesn't matter if, you know, if it's an AI service of today or tomorrow, or, you know, in a year's time, there's some other new flashy service. I think if you're protecting your data, ultimately, you're eliminating all the risks that come with those.

Well, that's some really good advice, sir. And I didn't realise there were 600 various generative AIs out there. Thanks for sharing your insight and expertise today. Thank you for joining us, and I hope we've provided some useful data points to help your organisation address the issue of ChatGPT and generative AI, balancing risks and rewards.

Right, MG, I'm Tony Morbin. Thanks again, Rodman.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on August 2, 2023.

What is this episode about?

Generative AI offers productivity gains, but if deployed without due security precautions, it can also open up the organization to new cybersecurity threats. Rodman Ramezanian discusses the pros and cons of different approaches to exploit generative...

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!