At a glance.
- Industry leaders emphasize the importance of balance when it comes to AI regulation.
- Improving communication between CISOs and boards.
- How CISOs can avoid disclosure failures.
Industry leaders emphasize the importance of balance when it comes to AI regulation.
Sam Altman, CEO of ChatGPT-maker Open AI, has been conducting a world tour of influential cities in an attempt to assuage the public’s fears about the risks of artificial intelligence. As Wired notes, he has seventeen cities on his itinerary, and this week he made a stop in London where he was met with an auditorium filled with AI enthusiasts as well as protestors pushing for stronger regulations of the swiftly developing technology. In his remarks, he acknowledged that GPT could worsen the spread of disinformation, especially once open source iterations are released to the public. Nonetheless, he warned that over-regulation could hamper the technology’s advancement, referring to the European Parliament’s AI Act, which is currently being debated by legislators. “I think it's important to get the balance right here,” Altman stated. “The right answer is probably something between the traditional European-UK approach and the traditional US approach.”
Altman also reportedly indicated that if the EU’s regulations prove to be too stringent for OpenAI to meet compliance, he would consider pulling the company out of Europe. EU industry chief Thierry Breton considered Altman’s words a threat, and responded by stating that OpenAI’s ability to comply would not influence lawmaker’s decisions. "Let's be clear, our rules are put in place for the security and well-being of our citizens and this cannot be bargained," Breton told Reuters. Perhaps realizing he’d overstepped, Altman later walked his comments back in a post on Twitter, Cybernews reports. He tweeted, “very productive week of conversations in europe about how to best regulate AI! we are excited to continue to operate here and of course have no plans to leave.”
As the Washington Post recounts, back in 2017 Microsoft president Brad Smith correctly predicted that AI would be at the forefront of tech legislation debate in about five years. Yesterday Smith gathered government officials, members of Congress, and policy experts to share his take and unveil his “blueprint for public governance of AI.” Smith, known for taking a tighter approach to tech regulation in comparison to his peers, also stressed the importance for balance when it comes to AI without sacrificing public safety. Smith stated, “History would say if you go too far to slow the adoption of the technology you can hold your society back. If you let technology go forward without any guardrails and you throw responsibility and the rule of law to the wind, you will likely pay a price that’s far in excess of what you want.”
Improving communication between CISOs and boards.
The US Securities and Exchange Commission is proposing new regulations that would ensure board members are actively involved in their company’s cybersecurity policies. Publicly listed companies will be required to disclose which board members are responsible for cybersecurity, how often cybersecurity is reviewed by the board, and how the board has incorporated cyber risks into the company’s overall risk management strategy. The proposed regulations would give CISOs increased responsibility in communicating their companies’ cybersecurity policies to the board and making sure board members understand the reasoning behind these strategies. To accomplish this, communication will be key, and Forbes offers tips for CISOs on effectively educating board members about cyber policies. Recommendations include focusing only on the data that are necessary to help the board understand cybersecurity decisions, instead of inundating them with facts and figures, As well, conducting tabletop exercises could make it easier for the board to visualize the company’s incident response plans, and adding a cybersecurity expert to the board can take some of the pressure off of the CISO and serve as a translator for board members on the technical aspects of cybersecurity strategy.
How CISOs can avoid disclosure failures.
Remaining on the topic of CISO responsibility, Dark Reading discusses how the recent sentencing of former Uber CISO Joseph Sullivan highlighted the need for CISOs to fully understand the convoluted rules of cybersecurity incident disclosure. SolarWinds CISO Tim Brown, who emerged successfully from his company’s massive data breach last year, offers his expert advice. Brown suggests that a detailed rundown of incident reporting rules, perhaps similar to the 2002 Sarbanes-Oxley Act for CFOs, could help CISOs better navigate the complicated maze of cyber response rules and deadlines. Melissa Bischoping, director of endpoint security research at Tanium, says CISO coordination with other stakeholders is essential. "Their responses must be coordinated with legal and communications stakeholders to ensure they are meeting regulatory and legal requirements, and providing the appropriate level of information to the right consumers of the information," Bischoping states. And Dave Gerry, CEO of Bugcrowd, notes that companies must consider how disclosure deadlines might impact the time it takes to effectively detect and respond to an incident. Gerry explains, "Identifying the root cause and magnitude of the incident to avoid adding additional fear and confusion to the situation takes time, which is an additional consideration."