Chris Hetner, senior cyber risk advisor at the National Association of Corporate Directors (NACD), explains: “The cybersecurity industry often operates in an echo chamber and is calibrated to be highly reactive. The echo chamber spins up the machine by talking about Agentic AI [AI agents], AI drift, and other risks. And a whole new set of vendors then overwhelms the CISO portfolio,” he explains. “AI is merely an extension of existing technology. It serves as another lens through which we can bring our focus back to the essentials.”
When Hetner speaks of the essentials, he highlights the importance of understanding the business profile, pinpointing threats within the digital landscape, and discerning the interconnections among business units. From there, security leaders should assess the operational, legal, regulatory, and financial repercussions that could arise in the event of a breach or exposure. Then they should aggregate this information into a comprehensive risk profile to present to the executive team and board so they can determine what risks they’re willing to accept, mitigate, and transfer.
Protect the data
Given how AI is used to analyze financial, sales, HR, product development, customer relationship and other sensitive data, Martin-Vegue feels that data protection should be at the top of the risk manager’s list of specific controls. This points back to knowing how employees use AI, for what functions, and the type of data they feed into the AI-enabled application.
