What strategies should IT leaders use when they engage AI vendors to minimize risk potential?
Sort by:
On the security side we know we can benefit from it and in some cases we already have proof of value. But we have to do enough as purchasers of AI-based security products to ask the security vendor questions around their principles and practices, such as, “Do you have all the data? Can you get all the data?”
Let's say I'm doing data protection and want AI capability. Is it okay to use data on the internet that may have been stolen and leaked in order to train your model? That’s a solid question to ask because if you're training your model on other people's sensitive data that was leaked, it was never intended to be out there. I know some organizations that have almost gone down those slippery paths; there are probably a few that have but that’s not happening on my watch.
It's an ethical choice but asking where they got their data from is very relevant if we’re buying an AI-based or ML-based data protection capability. It would give you an idea of an organization's moral compass and whether or not they're pointing in a direction that's consistent with yours.
It's a very good question but many data companies won't even answer it. Satya Nadella, as an example from Microsoft, now has a 30-minute review on the data that's being built in the models every Thursday morning. How many CEOs are doing that?
No matter what the technology is, if you don't define a business outcome that you can measure and achieve, then you wasted money. I got myself in some trouble many years ago as a young finance person, in Intel IT during a big capital and expenditure review. One IT director was pitching why they needed money for this automation and he couldn't answer my questions.<br><br>My closing comment was, “A fool with tools is still a fool.” I was then summarily walked out of the room because I insulted a bunch of technologists, but it's true. If you don't paint the business benefit, you should be held accountable for not delivering the outcome just like any business, whether it's on the security side, the IT side or anything else.
Minimize risk potential by doing your due diligence. There are so many things where people will pitch you, “Just throw AI at this problem.” But you have to have a very good-sized data set. A vendor will say, "We think you can use ML to help you staff assessment jobs." But if we have about 250 auditors and maybe a couple of thousand projects, then that doesn't even come close to the level where machine learning would help, even remotely. It’s just silly.