AI and Cybersecurity: Tools and Tactics for Protecting Your Organization

The threat of cyber attacks keeps increasing. Innovations like “cybercrime as a service” and generative AI introduce new risks in a world that is constantly evolving and changing. How can organizations keep up and fight back? It’s a complicated challenge, and there’s nobody better to answer it than Pinterest CISO Andy Steingruebl, an experienced cybersecurity expert.

DocuSign CISO Kurt Sauer recently spoke with Andy about the tools, tactics and best practices of a comprehensive cybersecurity plan. Here are the key takeaways, but we encourage you to listen to the full webinar. Kurt and Andy, longtime friends and veterans of the cybersecurity wars, are on the cutting edge of the current cybersecurity threat landscape, and the promise and peril that AI brings to the world of cybersecurity.

The security landscape is changing fast 

Kurt has spent two decades in cybersecurity and says the rate of change in the threat landscape continues to increase. In recent years we’ve seen the emergence of “cybersecurity as a service,” in which hackers create malicious code and rent it out to bad actors. “Cybersecurity is not something that has gone down anytime in recent memory. We now have the introduction of things like cybercrime-as-a-service and all sorts of things that are making it very difficult for information security professionals to keep networks and systems secure.”

Most recently, generative AI has started to become a factor, “making the trends move faster and the turns tighter, and our ability to do observation and orientation becomes more difficult,” Kurt says.

SMBs are especially at risk

Only half of SMBs have a cybersecurity plan in place, according to a 2022 survey. Andy cites a phrase coined by Cisco cybersecurity expert Wendy Nather—”the security poverty line,” which refers to the idea that small companies often cannot afford to create effective cybersecurity protections. But that leaves them vulnerable. “The problem is two-fold,” Andy says. “One the one hand, big companies with a lot of assets get targeted a lot—it’s the  old adage about why people rob banks, it’s because that’s where the money is.

But on the other hand, ransomware and other opportunistic attacks go everywhere, and whoever's the least defended is the one who gets impacted. So at least in the ransomware space some of the stats show that things like county governments or school districts, or organizations that … don’t have a lot of defensive capability are the ones who are the most targeted … have the biggest losses from cyber crime, at least in the case of things like ransomware.”

Experience matters

Kurt has a theory that the number of security people who have actually endured a real cyber attack is relatively small. “The vast majority never have worked on a real incident where there's an actual attacker attacking you or has already gotten some amount of access and you're trying to kick them out. Dealing with that it's a pretty formative experience for people. And if you've never done it, then you just don't have that learning. If you don't have the muscle memory in your organization or your processes to be able to deal with an attack, sometimes it makes it more difficult for you to be able to respond because everything is new, it's the first time around.”

This also creates an opportunity for AI to assist cybersecurity professionals. In lieu of having a battle-tested cybersecurity expert on staff, it’s possible to create an AI-assisted playbook that can help people who are being attacked figure out what steps to take based on what others have done.

AI: promise and peril

Will AI be good or bad for cybersecurity? The answer seems to be both. For example, generative AI can help bad actors create more effective phishing attacks. But there are a lot of ways in which AI will help defend assets, Andy says. Generative AI may also create new risks that CISOs have to deal with. Deep fakes might become more convincing. CISOs might also find themselves fighting threats that could hurt a company’s brand reputation. “We don’t necessarily think of that as a traditional security function, but it’s something I think about,” Kurt says. “It’s something I think every company will need to think about. I realize it's a little bit outside the norm of a security role, but it seems like an interesting dimension.

How is your organization approaching cybersecurity? Are you ready for a future in which AI becomes another risk factor, but also creates new ways to defend online assets? We hope this webinar helps you find some answers.