Artificial Intelligence, Intelligence:

The Security Officer’s role in

Transforming Contracts, Culture, and
Corporate Compliance.
Clifton Dickens, CISA, CRISC, CDPSE, CISSP

1
 • What is and is not AI?
• What uses does AI have?
• Organizational AI security risks
• Explore the 4 c’s
• ISO Roles and Responsibilities
• WIIFM: AI as a tool for the ISO
• Examples of AI use as a tool
• Plan, Do, Check, Act (PDCA) for adopting AI

2
 WHAT IS ARTIFICIAL INTELLEGENCE (AI)?

• AI is
o A complex information system that consumes enormous amounts of data so it can
perform cognitive-like functions.
o No better than the data
o Helpful

• AI is not
o Intelligence
o Automation
o Infallible

• Artificial Intelligence is not Business Intelligence.

3
 WHAT IS ARTIFICIAL INTELLEGENCE (AI)?
• AI – Artificial Intelligence
o Simulates human decision making, not thinking.

• ML – Machine Learning
o Machines learning from AI data, not you.

• NLP – Natural Language Processing

o Interpreter: Interprets human language for AI

• LLM – Large Language Model

o Algorithm trained on large amounts of data

• Gen AI - Generative AI
o Algorithm that can create something new.
Text, 3D renderings, music, code, video, or
more data.
4
 What uses does AI have?

5
 WHAT IS BEING DONE WITH AI

The Good The Bad

• Creating images • Image creation (Deep fakes)

• Creating documents • Creating spoofs and forgeries

• Responding to text or auditory input • Covertly listening and analyzing

• Analyzing trends • Studying your defenses

• Writing application programs • AI polymorphic viruses

6
 WHAT IS THE BUSINESS DOING WITH AI (today)?

• Customer service (Chatbots, Q&A, Help documents, and more.)

• Human resources (Candidate selection, staffing and planning, training, and more.)

• Marketing (Image creation, customized advertising, and more.)

• Finance

• IT (writing and reviewing code, customer service, and more.)

• Other area (driving cars, making sales, analyzing trends, and more.)

• Contract writing and contract reviews

• Identifying risk

7
 AI RISKS
“One of the main
• “AI is not infallible” cyber-risks is to
think they don’t
• Inaccurate information or flawed analysis
exist. The other is
• Incorrect or Improper use of AI
to try and treat all
• Data leakage potential risks.”
• Intelligent and Advanced Threats
-Stephane Nappo
• Inconsistencies

• Stay tuned, there’s more to come

8
 ISO Roles and Responsibilities
The Information Security Officer’s Role

9
 INFORMATION SECURITY OFFICER

• Manage relationships with security partners.

• Ensure information systems operate in accordance with
policy.
• Develop enterprise processes for information security, risk
management, and compliance. “It takes 20 years to
• Provide the business with security services. build a reputation and
• Ensure appropriate controls are in-place to mitigate risk. a few minutes of a
• Document information security policies, standards, cyber-incident to ruin
procedures, and guidelines.
it.”
• Coordinate the response to security breaches of C & I,
and disruptions in A. - Stephane Nappo
• And much more.

10
 AI as an ISO Tool (WIIFM)

• Help detect vulnerabilities

• Help write policies and procedures

• Review contract T’s & C’s

• Write code

• Create test steps and test plans

• Help with reporting

• Predict vulnerabilities

• Measure impact and likelihood

• Help define risk (Qualitatively)

• Identify missing information

11
 “People will soon get tired of staring
at a plywood box every night. TV is a
passing fad.”
- Daryl Zanuck (1946)
Executive Producer at 20th Century Fox

12
 The 4 C’s
The 4 Considerations for Organizational AI Programs

13
 THE 4 C’s

Culture

Contracts

Competence

Compliance

14
 cul-ture (noun)
The customs, arts, social institutions, and
achievements of a particular nation, people, or
other social group.

15
 CULTURE
The ethos of your organization.

• What is your current culture?

• Will the culture need to change?

“Everything we design
• Any advocates for AI? is a response to the
• What are expectations? specific climate and
culture of a particular
• Aptitude of workforce
place.”
-Norman Foster

16
 CONTRACTS (& AGREEMENTS)
Organizational covenants and commitments.

Contract Considerations for Customers of Gen AI Solutions

1. Pre-Contract Diligence

2. Inputs
“Read your contracts.
3. Outputs Up and down, left and
4. Compliance with Law right.”
5. Risk Allocation - Lauren Jaurequi

17
 COMPETENCE (& CONFIDENCE)
Organizational proficiency and mastery.

• Proper use (safe, effective, and intentional)

• Training and education

• Security Awareness includes AI
“It is easier to do a job
• Confidence in Results (output)
right than to explain
why you didn’t”
― Martin Van Buren

18
 COMPLIANCE
Organizational adherence and observance of rules.

• Don’t fear doing what’s right

• Be familiar with AI laws and regulations

• State your requirements “The industrial age

brought compliance and
compliance brought fear
and fear brought us
mediocrity.”
-Seth Godin

19
 COMPLIANCE CONT.
Other requirements and guidance.

• NIST
• Artificial Intelligence Risk Management Framework

• ISO
• Standard for AI Model Management (IEEE 2941-2021)

• New York
• Local Law 144

• California
• Automated decision rulemaking by CPPA

• United States White House

• Blueprint for an AI Bill of Rights

20
 “Cellular phones will absolutely not
replace local wire systems.”
- Martin Cooper (1981)
Motorola Researcher and Executive

21
 ISO Roles and Responsibilities
The Information Security Officer’s Role with
Organizational AI

22
 THE INFORMATION SECURITY OFFICER’S ROLE w/ AI

• Manage relationships with security partners and AI providers.

• Ensure information systems operate in accordance with policy (incl. AI).
• Ensure AI services perform in accordance with policy and standards.
• Develop enterprise processes for information security, risk management, and
compliance.
• Provide the business with security services and security consultation.
• Ensure appropriate controls are in-place to mitigate risk (incl. AI).
• Document information security policies, standards, procedures, and
guidelines (incl. those for AI).
• Coordinate the response to security breaches of C & I, and disruptions in A
(including AI as a Service).
• Ensure AI is included in Security Awareness Training
• And much more.

23
 ISO ROLE & RESPONSIBILITY: CULTURE (AI)

• Document information security policies, standards, procedures, and guidelines.

• Security Training and Awareness

• Become an advocate for safe AI use

• Participate in AI use cases

• Provide consultation to the business on secure use of AI

24
 ISO ROLE & RESPONSIBILITY: CONTRACTS (AI)

• Ensure AI specific language is adequate

• Explain the risks associated

• Paraphrase selections

• Identify key conditions in agreements relating to AI

• Ensure

• Review
• Contracts
• Agreements
• SOW’s
• Work Plans
• Project Plans
• MSA’s

25
 ISO RESPONSIBILITY: CONTRACT REVIEW (ex.1)
Paraphrasing with ChatGPT4

What does this mean in plain English

“ You may install and use the Software on a single computer; OR install and store
the Software on a storage device, such as a network server, used only to install the
Software on your other computers over an internal network, provided you have a
license for each separate computer on which the Software is installed and run.
A license for the Software may not be shared, installed or used concurrently on
different computers. "

26
 ISO RESPONSIBILITY: CONTRACT REVIEW (ex.1 cont.)
Paraphrasing with ChatGPT4

You can put and use the software on one computer.

OR you can put the software on something like a big computer
(called a network server) that helps share it with your other computers in the
same place, but only to put the software on those other computers.

For every computer you want to use this software on, you need a separate
permission
(called a license).

You can't use the same permission to put the software on multiple computers at
the same time.

In essence, one license means you can use it on one computer. If you want to use it
on another computer, you need another license.

27
 ISO RESPONSIBILITY: CONTRACT REVIEW (ex.2)
Clarification with ChatGPT4

Rewrite this policy and use words other than the words computer and software because
some people may misconstrue what a computer or software truly is. “[insert same text]”

28
 ISO RESPONSIBILITY: CONTRACT REVIEW (ex.2 cont.)
Clarification with ChatGPT4

You can install and use the program on one device.

OR you can install the program on a central device (called a network server) that
allows you to share it with your other devices in the same location, but only to
install the program on those other devices.

For every device you want to use this program on, you need distinct approval or a
separate authorization (called a license).

You can't use the same authorization to install the program on multiple devices
simultaneously.

In essence, one license allows you to use the program on one device. If you want
to use it on another device, you need another license."

29
 ISO RESPONSIBILITY: IDENTIFY KEY CONDITIONS
Review of GoDaddy AI Terms of Use

What are the most important parts of this agreement?

https://www.godaddy.com/legal/agreements/ai-terms-of-use

30
 ISO RESPONSIBILITY: IDENTIFY KEY CONDITIONS
Review of GoDaddy AI Terms of Use

•Usage Requirements: You must follow the Universal Terms of Service and the General Rules of
Conduct.
•Misuse Prohibitions: You can't use the AI Services for illegal activities, promoting harm or violence,
spamming, violating intellectual property or privacy rights, among others.
•Misrepresentation: The use of AI Services should not involve deceptive language or claims about
GoDaddy or its services.
•AI Outputs' Integrity: GoDaddy hasn't verified the outputs of the AI Services for their accuracy,
neutrality, clarity, or intellectual property clearance.
•No Guarantees: GoDaddy doesn't guarantee the AI Services' outputs' accuracy, reliability, or error-
free nature.
•Advice: It's suggested you seek independent legal advice before relying on AI-generated outputs.
•No Liability: GoDaddy won't be responsible for any kind of damages, including those from AI
Services' outputs.
•Max Liability: If GoDaddy were ever to be found responsible, the most they'd pay is $10,000.
•Longevity: These liability rules will continue to apply even if this agreement ends or if you stop using
their website or services.

In essence, GoDaddy is outlining rules for how to use their AI Services, stating they can't
guarantee the AI's outputs, and clarifying they're not liable for any potential damages from
using their services.
31
 ISO RESPONSIBILITY: WRITING POLICY STATEMENTS
Input

Write policy statements using the following information.

“Our company employees are not to download attachments from emails sent by
external parties and from origins unknown when they cannot verify the source
or trust the source of origin of the email. Also they should not forward any
suspicious emails to anyone else whether that person is inside of our
organization or outside of our organizations. Our employees should also not
send any emails to anyone harassing, mocking, or insulting anyone even if it is
meant to be a joke. Our employees must not send any attachments or
information to anyone outside of our organization unless they have explicit
permission to send the information to that person or group.”

32
 ISO RESPONSIBILITY: WRITING POLICY STATEMENTS
Results

1.Email Attachments: Employees are prohibited from downloading attachments from emails
that originate from external parties or unknown sources, unless the source of the email can
be verified and is deemed trustworthy.

2.Suspicious Emails: Employees must not forward suspicious emails to any individual,
regardless of whether the recipient is within or outside of our organization.

3.Appropriate Communication: All communications, including emails, sent by employees

should maintain a professional tone. Harassment, mockery, insults, or any inappropriate
comments, even if intended as jokes, are strictly prohibited.

4.Sending External Attachments and Information: Employees are not permitted to send
attachments or any confidential information to individuals outside our organization unless
they have received explicit authorization to do so.

33
 ISO ROLE & RESPONSIBILITY: COMPETENCE

• Training – Provide periodic training and awareness

• Education – For yourself and organizational users

• Controls – Select or design controls and implement

• Analysis – Continue to understand how employees are using AI and how AI is evolving.

• Consider:
• AI Tool Selection
• AI Training Data Source
• End User’s Knowledge
• Use of Output

34
 ISO ROLE & RESPONSIBILITY: COMPLIANCE

• Regulation and Requirements

• Organizational requirements

• Policy and Standards enforcement

• Acceptable Use

35
 REMEMBER THIS!

AI is still evolving

The understanding of AI is still maturing

Capabilities are still being realized

“To improve is to
change; to be perfect is
Be flexible and elastic to change often.”
Be suspiciously optimistic -Winston Churchill
Develop a strategy

Develop a plan

Be prepared to make changes

36
 Plan – Do – Check - Act

Revise Policy A.I. Risk Assessment

Enhance Training Create Policy

Modify procedure Chose A Framework

Develop Metrics

Assess Risk Awareness training

Analyze Results Implement Controls
Redline Contracts

Deming circle

37
 Plan – Do – Check - Act
Plan
• Decide how to approach AI in your organization
• Learn how the business plans to leverage AI
• Conduct an AI RA
• Decide what controls are needed
• Determine what ISO continual AI support for the business looks like
• Review/Write requirements

Do
• Implement AI policies
• Set AI related standards
• Train users

Check
• Review how the internal business is using AI
• Review how the vendors are using AI

Act
• Update the policy
• Revise and/or strengthen controls
38
QUESTIONS?
THANK YOU FOR ATTENDING