Thierry Berthier is a lecturer at the University of Limoges and cyberdefence and cybersecurity researcher. He launched the debate with an observation: because the number of cyberattacks is growing, we need to react very quickly. AI is the only way to obtain this result, which is why more and more systems are using it. Initial experiments conducted by Vincent Le Toux, deputy CISO at Engie, have shown concrete results, such as detecting fake domain names. But this ISS professional is circumspect on the specifics of the algorithms, noting that the vast majority of attacks are on Shadow IT and are generally not detected. Arnaud Tanguy, CISO at AXA Investment Managers agrees: "if we’re talking about pure AI, we’re not there yet."
Fraud detection is another area where AI can contribute real added value for CISOs, especially since traditional tools have shown their limits. Two years ago, Société Générale benchmarked the onboard intelligence solutions and developed internal AI, recruiting 20 people, including a doctoral student, data scientists and developers. Performance met expectations. The AI platform in production was then extended to other cases. “The market wasn’t ripe when we started. But the risk we took has paid off. (…) We have to take advantage of the dynamic that promotes innovation. AI is also an excellent communication tool for the CISO team," says Yann Girard, CISO of the Société Générale retail bank in France.
Arnaud Tanguy chose market solutions integrating AI with detection methods that use data on the fly and can be controlled by small teams. AI’s effectiveness also depends on its ability to classify and process large volumes of information. “AI has to work on the data, which requires a prior analysis and checks to make them cleaner. It has to address the company’s risks. And don’t think that AI will replace tools, processes and people; it complements them".
An IA battle?
Thierry Berthier believes that cybersecurity is evolving toward behavioural analysis and social engineering. But these areas are advancing on both sides: the defenders of course, but also the attackers, with the confirmed risk of seeing growing numbers of attacks! “To target increasingly powerful victims, attackers must also become more powerful.” So, he recommends characterising the right traffic in order to improve the detection of fictitious data structures. So, are we going to see AI combats? He doesn’t rule out this possibility, with the risk that, without enough attack data, AI might create fictitious data, which might create… new attacks.
Will AI take the place of the CISO?
Finally, we can’t talk about AI without mentioning a potentially prickly subject: the risk of so-called intelligent machines taking the place of humans! And Vincent Le Toux addressed the elephant in the room by asking the overarching question: “Will AI replace us as CISOs?” He offers a reassuring response: "AI is improving in data processing and the prediction of attacks, but hackers adapt even more quickly. Until AI reaches the level of human creativity, CISOs have a bright future ahead of them.” Arnaud Tanguy recalls that the CISO’s role is to protect the company, "and AI improves our ability to protect." And he welcomes the team formed by humans and AI. “AI can detect things we couldn’t even see before,” Yann Girard also notes. “But AI can't protect everything. It still can’t pass the Turing test.” Yann Girard sees no difficulties for the role of the CISO. On the contrary: “AI shows that security is an inspiring feature.” And to reinforce his teams, he prefers to encourage them to better recognise the information system and the data used. “There are still a lot of false positives with AI."