$8.8 trillion protected: How one CISO went from ‘that’s BS’ to bulletproof in 90 days

In a revealing conversation with Sam Evans, the Chief Information Security Officer (CISO) of Clearwater Analytics, the critical role of enterprise browsers in combating the risks posed by shadow AI was highlighted. Facing a daunting task in October 2023, Evans addressed the board regarding potential vulnerabilities that could jeopardize the firm’s substantial $8.8 trillion in managed assets. He expressed his biggest concern: "The worst possible scenario would be if an employee inadvertently fed customer data into an unmanaged AI system, which could then be used to train the model." Evans elaborated on the evolving landscape of cybersecurity, noting that attacks have grown more sophisticated. "The complexity of phishing attempts has escalated, driven by advancements in AI technology," he stated. However, he emphasized that AI also enhances defensive measures. It’s a perpetual game of cat and mouse, where both malicious actors and security professionals leverage AI to outsmart each other. To bolster their defenses, Clearwater Analytics has integrated AI into their security operations, allowing analysts to focus on more strategic tasks. The AI assists in the initial triage of threats, providing guidance based on historical data and predictive models. This has significantly improved the detection rates of potential threats compared to traditional methods. One of Evans' major concerns is the emergence of deepfakes, which pose a significant risk in impersonating executives to facilitate fraudulent transactions. "Deepfakes can appear alarmingly realistic, making them a serious threat," he warned. He also shared his strategy for educating the board about shadow AI, noting that while tools like ChatGPT can enhance productivity, they pose risks if sensitive data is mishandled. After a thorough evaluation process, Clearwater Analytics decided to deploy Island, an enterprise browser designed to control web usage on company devices. Evans recounted a pivotal board meeting where he demonstrated Island's effectiveness in preventing data leaks while still allowing employees to use AI for legitimate queries. "Since implementing Island, we’ve gained better control over shadow AI risks, which has provided peace of mind," Evans remarked. While no security solution can guarantee complete safety, the deployment has provided a framework for managing AI interactions without compromising on data security. To counter deepfake threats, Evans emphasized the importance of employee vigilance and established protocols for recognizing suspicious requests. He advised other CISOs facing similar challenges to focus on enabling secure productivity rather than merely imposing restrictions. As the shadow AI landscape grows, with an estimated 50 new AI applications emerging daily, security teams face increasing pressure to adapt. Industry experts stress the need for organizations to develop robust strategies that balance security with the effective use of AI technologies, lest they drive usage underground and amplify risks.