NATIONAL HARBOR, Md. — One of the most important jobs for CISOs in the AI era is to stay calm and carefully assess their organizations’ risk exposure, experts said this week at the annual Gartner Security & Risk Management Summit here.
“Don’t panic,” Katell Thielemann, a VP analyst at Gartner, said during a talk on Tuesday about AI’s impact on the security of cyber-physical systems such as industrial control equipment.
“Yes, things are changing fast,” Thielemann said, “but there are some low-hanging fruit” that CISOs can tackle, such as disconnecting critical devices from the internet and monitoring remote access to the remaining infrastructure.
The recent debuts of Anthropic’s Claude Mythos and OpenAI’s Daybreak, two powerful new AI models that can find software vulnerabilities much more quickly than previous tools, have rattled cybersecurity leaders, who have sought help countering the resulting risks. Technology vendors and consultants have rushed to meet that demand for help, in some cases with unnecessary or counterproductive advice and products. At Gartner’s conference, experts urged CISOs and other security executives to focus on the basics rather than the hype.
“What does Mythos or Daybreak change? Velocity and volume,” Dennis Xu, a VP analyst at Gartner, said during a session on Tuesday. Attackers are “coming at us much faster, and in the next 12 months [they will attack at] a much higher volume.”
Still, Xu said, CISOs should remember two things: “Don’t panic” and “communicate.”
“You need to communicate … to the executive team [and] to the board that we are fighting a different game now,” he said, adding that security executives shouldn’t be afraid to use the new threat environment as an opportunity to demand larger budgets.
But despite the increased velocity and volume, Xu said, businesses’ defensive priorities should remain largely the same, with a focus on managing asset exposure and prioritizing patch deployment to the most important systems.
At one point, Xu asked audience members how many of them had defined their businesses’ “minimum viable operations,” the core systems and processes without which they couldn’t function. When few hands went up, Xu said companies should focus on that task.
“I don’t want you to spend six months doing it, but that’s a thing I would have,” he said, “if for no other reason than it serves as a common language [where] we can all agree and understand what’s important, and then stakeholders can begin to prioritize cybersecurity resilience decisions in the important places.”
AI hype meets reality
Business leaders must be cognizant of how effectively they’re using AI, as well as what effects the technology is and isn’t yet having, Gartner analysts said during talks throughout the conference.
OpenAI, Anthropic and other AI firms are pushing businesses to buy expensive subscriptions for tools that they promise will revolutionize companies’ complex, time-consuming practices. But that rhetoric has often failed to match the reality, as companies discover that AI tools burn through tokens without producing significant results.
Security leaders “feel underrepresented and under-resourced,” said Bart Willemsen, a Gartner VP analyst, “because our money is actually going away to, dare I say, [generative] AI platforms that used to be somewhat almost free, then they started paying per user per month … [and] then it was per token.”
“Are we draining our budgets on things we can do better [with humans]?” Willemsen asked. “I do firmly believe we are.”
Companies should be wary of replacing experienced workers with AI models, he added, because if the AI tools prove deficient, recruiting those workers back or finding new people to replace them won’t be easy.
“For those of you who are thinking, ‘Well, AI will make it so that I can do whatever I want with less people,’ let me tell you, the moment you get rid of them, you are not getting them back,” he said.
Emphasizing human skills
Another session also featured a warning about the follies of neglecting workforce development in the AI era.
“We are facing crushing pressure from the C-suite and the board to showcase the value in AI investments,” said Alex Michaels, a director analyst at Gartner. “Years of hype further accelerate this urgency. Yet AI ambitions are met by a talent bench that is not prepared for widespread rapid AI adoption.”
Michaels was speaking in the context of the security operations center (SOC), a domain that business leaders have been keen to automate with AI but one that Michaels said required continual investment in human skill sets. Yet as AI takes on more SOC tasks, Michaels warned, there will be less imperative to keep human workers trained on important skills, potentially jeopardizing institutional knowledge.
“Even if we’re successful in implementing AI automation at scale,” Michaels said, “we risk eroding the potential of our future generation of SOC talent.”
Reality check on AI and industrial control systems
Thielemann, whose session focused on cyber-physical systems, said critical infrastructure operators should focus on cyber hygiene basics such as network segmentation and access control rather than stressing out about a crippling AI-powered cyberattack that might not arrive for years.
“We know AI is knocking at the door,” she said. “Time will tell, but we haven’t seen sort of this nightmare scenario happening yet.”
Anthropic has been inviting selected equipment vendors and critical infrastructure operators into its Claude Mythos preview program, Project Glasswing, but so far, Thielemann noted, none of the companies that make industrial control systems have disclosed their participation.
“If CPS-specific vendors are part of Mythos, they’re not piping up,” she said. “We haven’t seen anything from the Siemens, from the Rockwells, and [from] the Honeywells.”
“Until we start seeing more information,” she added, “please don’t fall for the ‘Mythos in manufacturing, we’re all going to blow up’ [rhetoric], which I see quite a bit.”
