Last week I attended AuditBoard's Audit & Beyond, a two-day conference in Las Vegas that brought together audit and compliance professionals, as well as IT security pros.
It wasn’t the first time these constituencies shared a conference attendee list. However, for me it was a first when it came to hammering home the point that security and compliance risk are part of the same business risk ball of wax.
Find all of SC Media's coverage from Audit & Beyond here.
For example, just because an enterprise is PCI DSS (Payment Card Industry Data Security Standard) compliant does not mean it’s vulnerability free. Not by a long shot. Business risk includes auditing, compliance and IT security. They are not separate, but part of the same three-legged stool.
When risk worlds collide
From the cybersecurity standpoint of the outside-looking-in, compliance has been a checklist line item. Compliance and auditing has been a necessity that — at times — has been so time consuming and such a non-negotiable it has engendered animosity between audit and IT security stakeholders. The two battle for budget dollars, resources and a voice with CTOs, CISOs and boards.
But two things have radically changed the risk calculous within the enterprise. Enter artificial intelligence and velocity of compliance and audit requirements driven by new tech and its’ compliance byproducts.
Did he just say, “sea change”?
Apologies for stating the obvious and trotting out tired verbiage, but AI represents a game-changer and a genuine sea change for companies faced with external and internal attack surface of business threats. The digitization of business processes (SaaS, cloud and AI) are now intertwined with a tsunami of global regulatory and data compliance requirements necessitating a new approach and definition for risk.
Just as Moore’s Law of compute-power coupled with AutoCAD (computer aided drafting) software revolutionized the lead-pencil days of design and engineering, AI is having the same democratizing impact and fueling a new approach to attack surface management and cross-silo connected risk management.
Something new (and I bet you can guess what this is) is needed to juggle data security, vulnerabilities and threat intelligence. You guessed it; that something is AI. It can reduce manual compliance drudgery with tools such as the AuditBoard platform.
AuditBoard claims organizations adopting its AI-enhanced platform report up to 65% in improved efficiency and time savings. This is achieved by automating repetitive tasks, enhancing data analysis, and offering real-time insights, which reduces the manual effort involved in compliance and risk audits, AuditBoard said in a study released last week.
AI as hero and problem child
Now add to the mix AI as both hero and problem child. Stakeholders last week also emphasized the need to create guardrails and governance around the rapid deployment of domain-specific AI business tools.
Business outcomes tied to the myriads of third-party AI applications need to be supervised against a user’s unchecked reliance on AI that can cause reputational harm, actionable business biases and data insecurity.
This is a real but separate concern when considering AI’s use as a time-saving tool that can work horizontally within a company to decimate business silos that perpetrate data blind spots for IT and auditors alike.
Bridging a risk exposure gap with a connected-risk approach to cybersecurity
“Compliance is a bread-and-butter piece of cybersecurity. It ensures a level of protection, but it does not mean that it’s the right amount of security to manage the risk that you have. And they are two very different things,” observed a leading chief security officer Anne Marie Zettlemoyer almost three years ago.
She added, if a business cannot manage risk, it cannot thrive. A lot has changed in three years — namely AI.
If I learned nothing else last week, it was that AI is an accelerant empowering business to do both compliance and manage risk in one streamlined process. They can no longer be “two very different things.”
By shifting attitudes towards a risk-management approach versus a compliance mindset, risk becomes the determining factor in cyber defense versus the silos of threat intelligence, vulnerability management and compliance checklists.
Breaking down data and operational silos
AI’s promise in this context is to break down silos and bring compliance and IT security together as one unified front. Tools such as AuditBoard create that actionable, single-pane view of risk. It can help a company boil the ocean of cyber threats and pair it with the breathless pace of new and updated compliance requirements. Next, generative AI can output a cogent audit report in minutes that any CTO, CFO or board member can easily understand.
Compliance is not just what you must do to run your business, it’s part of a cyber risk management strategy core to growing and protecting your business, Zettlemoyer said.
Yep, but now AI helps bridge the risk exposure gap between IT and auditors by creating a connected risk approach to cybersecurity.
“By addressing the barriers of data silos and focusing on integration, we can help companies unlock the full potential of AI, turning risk management from a reactive process into a strategic advantage,” said Happy Wang, CTO of AuditBoard during a Thursday keynote.
“In cybersecurity, this translates to quicker threat detection, more precise responses, and ultimately, stronger defenses against evolving threats,” she said.
