Be secure, save money: AI-era lessons from financial services CISOs

CISOs tell us all the time that AI has lots of potential, and that everyone is getting swept up in the hype and excitement of it. It's all the board wants to talk about. But while AI is exciting and promising, and it's one of the most significant technological shifts that anyone’s seen since the smartphone and Internet, the AI hype can sometimes overshadow the daily imperatives that CISOs have to focus on.

CISOs voice these concerns in private, and we get what CISOs are up against, which is why Google Cloud’s Office of the CISO is here to help. We often hear from chief information security officers — especially from financial services CISOs — about how to balance these seemingly competing interests.

While boards and executives have been asking questions about implementing generative AI that may lack clear answers, security leaders still must focus on the day-to-day responsibilities of cybersecurity and risk management. Increasingly, emerging AI capabilities should be able to help CISOs address these concerns, but that doesn’t make them vanish overnight.

A tough balancing act

Privately, financial services CISOs have said much to us about the range of challenges they face. Their insights can be summarized as:

In 2024, CISOs in the financial sector aren't just fighting the battles of today — even though there is plenty of that. We're building defenses against threats we can't even fully imagine yet. AI-powered attacks, cloud vulnerabilities unlike anything we've seen... the landscape shifts faster than we can blink.

Many of these other concerns involve enhancing security, reducing operational costs, and effectively reporting the organization’s overall cybersecurity posture to the board. We’ve listened to many of these firsthand accounts from CISOs in financial services, retail, and other industries over the past several months, and appreciate the importance of their experiences and concerns, their successes and failures.

To help even more CISOs and security teams, we’ve identified the trending topics of concern, the biggest questions those topics have raised, and how we recommend responding to them.

Key area of concern: Dealing with AI hype, building a secure future

CISOs are grappling with the task of securing AI systems for business use cases demanded by their board and executive leaders. This can be distilled into three general categories:

• Secure use of AI for the business
• Secure use of AI for security
• How do I govern AI uses?

Notably, CISOs are asking the questions that go beyond the traditional narrow confines of cybersecurity, and touch on intellectual property (such as who owns the code produced by a gen AI bot) and other risks. AI governance is a critical component of protecting organizations from the unique risks that AI systems introduce. It encompasses a set of policies, procedures, and practices that organizations use to ensure the safe and responsible development and deployment of AI systems in a way that protects against cyber threats.

CISOs are working towards enhancing the capabilities of their security teams to effectively combat evolving threats and attacks. In doing so, they raise two questions:

• How do I defend against the latest threats that try to exploit our legacy technologies, multicloud environment, and supply chain concerns? Tools like our new Security Command Center Enterprise can help create the insight that security teams need.
• How do I make defending against these threats easier and less complex so my management, security teams, and developers understand the objective and can reduce complexity? (This can be summarized as creating “secure products” instead of “security products.”)

Google Cloud also offers resources on securing AI, including the SAIF framework, the recent Securing AI: Similar or Different paper, and an in-depth look at AI risk governance, with more on the way.

Key area of concern: Becoming more threat-informed

CISOs want to transform the vast amount of threat intelligence data available into actionable insights that can benefit their organization and the wider community. Becoming threat-informed is hard for many security organizations.

Getting actionable intelligence quickly, and acting on it before an adversary does, can be a real challenge for organizations. (Especially since knowing about threat intelligence and not acting on it can just as quickly turn into a liability.) Through Mandiant, VirusTotal, and additional services, Google provides unrivaled global threat visibility encompassing the breadth of threat actors from cloud to OT, and depth of coverage.

Key area of concern: Securing legacy infrastructure

CISOs strive to maintain the security posture of their legacy devices and infrastructure while minimizing operational costs. The complexity of these systems often makes them more vulnerable to attacks and expensive to defend.

• Legacy and complexity have accumulated to tech and security debt
• Most CISOs secure existing infrastructure by managing down the risk down — often by adding on security, which then creates more complexity

Key area of concern: How to be secure and save money

One of the most common CISO complaints that we hear is that too often, business leaders see security as a “tax” or “overhead.” How can CISOs reduce costs while protecting the enterprise? We see this especially in the context of mergers and acquisitions, as security programs must pick security tools based on the business risk — while that risk model is in flux.

It’s at least as important, and just as challenging, to identify the right people to run their cybersecurity practice. Because talent is in such high demand, it often increases the operational cost of running a cybersecurity team.

Adopting modern security practices can have real benefits to an organization’s bottom line. Optimizing your current resources to take advantage of automation, machine learning, and generative AI can help develop a laser-like focus on your core mission and priorities. When cyber programs rationalize their key objectives with management (and get those vital CEO, CIO, and board-level approvals,) then the CISO and security team can craft better definitions for their strengths and weaknesses.

The upshot of this approach is that it can help CISOs justify building more secure products and ecosystems. If you can present a business case for improving entire ecosystems to create a better customer experience and provide better security built in, you may be able to eliminate some or all of the need for expensive third-party security tools. Simplicity is a friend of cybersecurity.

Key area of concern: Evangelizing security

Part of the broader challenge that CISOs face is to effectively convey the business value that security brings to management, boards, and the organization they serve. To achieve this, they sometimes seek to demonstrate the ability to maintain business resiliency in the face of cyber threats.

• How do I communicate this to my management, peers, and board of directors?
• How do I demonstrate value because everyone sees me as a cost center?

CISOs should strive to shift the narrative from achieving 100% security to emphasizing the importance of maintaining business resiliency. They should assure management that their teams are on track with the deliverables outlined by the board and executives, and that the organization’s risk posture is effectively managed. When CISOs can accomplish those goals, they stand a better chance of showcasing the daily business benefits of their security efforts and dispel the perception that security is an obstacle to progress.

These are your next steps

As a CISO, you have a lot of responsibilities across cybersecurity and across the business. We recommend six key actions:

• Build a trusted network to help you learn from your peers, community, and have visibility across multiple industries.
• Ask hard questions to ascertain whether you’re actually unique in what you do, or just constrained by budgets, resources, and funding. In the places that you are unique, start a conversation about how to protect the business value while using common methodologies and approaches.
• Create defensible programs based on mitigating key threats to the industry, and communicate what you are doing to management and the board.
• Educate yourself on the latest trends such as security of AI from subject matter leaders and experts.
• Stay curious and take advantage of opportunities in the environment to advance your business and your cybersecurity posture.
• Think like a CFO. Build a trusted partnership between the CISO, CIO, and CFO on how you can maximize your investments and prioritize key mission objectives.

For more information, please read our guidance on how financial services organizations can more securely move to the cloud, knowing which vital questions can help guide transformation success, and learning how to navigate the multicloud jungle.