Getting serious about security culture

The generative AI era means it’s time to get intentional about security culture, argues Esteban Hernandez at Amazon Web Services

 

As organisations increasingly adopt generative AI (Gen AI) technologies, understanding the security implications becomes critical. Core security disciplines, like identity and access management, data protection, privacy and compliance, application security, and threat modelling are still critically important for generative AI workloads, just as they are for any other workload.

 

But beyond emphasising long-standing security practices, it’s crucial to understand the unique risks and additional security considerations that generative AI workloads bring.

 

Building a strong security culture 

Strong security measures empower companies to innovate faster and with greater confidence. Helping everyone within an organisation view security as a business enabler, rather than a hinderance, helps reduce risk while reinforcing resilience.

 

Security teams and organisational leadership can work together to understand business needs and put the necessary protections in place to enable their businesses to grow. This perspective shift is crucial to unlocking the benefits of exploring transformative technologies like generative AI. 

 

When adopting generative AI, implementing strong encryption measures and giving users control over their data can address privacy concerns associated with AI applications. Encryption offers an extra layer of protection to ensure users’ personal and confidential information is securely stored, reducing the risk of safeguarding failures and security breaches. 

 

Companies should seek out AI infrastructure and services with built-in security features that offer this level of control. Adopting services with advanced security certifications can help businesses maintain trust and demonstrate their commitment to protecting sensitive data.

 

GenAI is not the answer for every security question. However, the technology can make the user experience easier and more efficient for security-minded customers. AI-powered tools can assist IT and security administrators in identifying and resolving issues more efficiently.

 

For instance, natural language query capabilities can simplify the analysis of security logs and activity events by allowing administrators to ask complex questions in plain language and receive immediate, actionable insights. This reduces the time spent sifting through large datasets or logs and helps pinpoint potential threats or anomalies faster.

 

AI is beneficial in this way as it can automate the mundane, routine tasks and allow security administrators more time to focus on more sophisticated tasks and challenges. 

 

In order to make these technologies transformative, our teams think about security across all three layers of  our GenAI stack: the bottom layer provides the tools for building and training large language models (LLMs) and foundational models (FMs), the middle layer provides access to all the models along with tools you need to build and scale generative AI applications, and the top layer includes applications that use LLMs and other FMs to make work stress-free by writing and debugging code, generating content, and sharing insights. Raising the bar on security across each layer is our top priority.  

 

Proactivity and collaboration

To foster a robust security culture, companies should distribute responsibility throughout their organisations. From the CEO to developers, every employee plays a role in maintaining security. This approach helps ensure that security considerations are integrated into all aspects of operations, from product development to daily meetings. A proactive security outlook is essential in today’s threat landscape, as is nailing the security basics.

 

Training employees on how to use GenAI whilst maintaining good security hygiene is essential. It’s crucial that everyone in the organisation using AI understands both how the technology functions and the potential risks it carries. Given that AI is still evolving, employees must recognise that the data they input into AI systems could inadvertently expose personal or confidential information.

 

Training programmes should be implemented to educate staff about data privacy, the limitations of AI, and how their input can influence AI outputs.

 

Companies should also implement cross-functional teams that bring together different departments that are using GenAI — such as IT, legal, and product development — to regularly review security practices and adapt them as threats evolve and new applications are implemented. Encouraging open communication and collaboration ensures that potential vulnerabilities are identified early, and security solutions are built into workflows rather than added as an afterthought.

 

This proactive, team-based strategy helps ensure that every aspect of the company’s operations is aligned with security goals, reinforcing resilience against threats.

 

Security is a business imperative 

Finally, companies must commit to continuous security innovation. The cyber-security landscape is ever-evolving, and businesses need to stay ahead of emerging threats. This requires ongoing investment in security technologies and a culture that prioritises security at every level of the organisation.

 

By adopting these principles, businesses can create a security culture that not only protects against current threats but also positions them to navigate the challenges of emerging technologies securely. In the rapidly evolving digital landscape, a strong security foundation is not just a safeguard—it’s a competitive advantage.

 

---

 

Esteban Hernandez is a security specialist at Amazon Web Services (AWS)

 

Main image courtesy of iStockPhoto.com and monsitj