Generative AI can be used to build better security, says Anthony Grieco of Cisco

Over the last few years, there has been a significant rise in cyberattacks, and more so with the help of new technologies like generative AI. This makes it even more essential for companies to invest in robust security solutions. Anthony Grieco, SVP & Chief Information Security Officer, Cisco, talks in conversation with Business Today, talks about the evolving threat landscape, pain points around security, the role of technologies like Gen AI, and more. Edited excerpts:

BT: How has the threat landscape evolved over the last two decades and in the last year and a half?

Anthony Grieco: When you really look at how the bad actors take advantage of weaknesses, and then what do they do when they’re in are the two big things that have transformed. You know, many years ago, you would see only a handful of threat actors involved. And so the mechanisms they used were fairly specialised. You look today, and there is such an industry and an infrastructure around what threat actors are doing and how they’re taking advantage of vulnerabilities in systems. And then, what do they do when they get in? This is the next level that they’ve really reached. The prevalence of ransomware, in particular, over the past couple of years and the rise of ransomware is something that can’t be ignored, and it really is the commercialisation of hacking, when you get down to it.

If you look at the Cisco Talos report that we just put out a couple of days ago, LockBit, which is a ransomware as a service gang, is the number one proliferator of ransomware. I think 25% of the data dumps that happened on the dark web are associated with that one ransomware gang, but it's an ode to the adaptability that happens today and the adversarial space where a group of people and adversaries can use a bunch of different techniques and evolve them over time. If I look back on my 20-year history, it wasn't nearly this quick. It wasn't nearly as organised.

BT: What are the biggest pain points when it comes to security?

Anthony Grieco: There's a constant struggle to simplify how you secure and what it means to be secure. Today, you have such interconnectivity, and you have such shared dependencies across systems that create complexity. And today, oftentimes, what we find in the marketplace in particular is that security brings another level of complexity. What the industry needs is a lot more simplicity in how defenders defend and what it means to be secure.

BT: There's no standard definition. And companies these days are really struggling to understand the areas they should focus on. How does Cisco define it for its partners or customers, and what should be their top priority?

Anthony Grieco: When you look at security, there are really important domains. When you think about things like identity, access management, protection of data and workloads, and application security, there are really important domains that are associated with security. In fact, if you look at our Cyber Readiness Report that we put out in 2023, in India, only 24% of organisations have the ‘Mature’ level of readiness needed to be resilient against today’s modern cybersecurity risks across those different domains.

So when we think about security and areas for them, for companies and organisations to focus on assessing their maturity across those different domains, and then building programmes to help address where those biggest weaknesses are, where they show in maturity, is a really important step.

That's certainly what I advise our customers to do—if you don't get those things right, it's hard to do IT with security in mind. But not all organisations are starting from the same place. So that assessment piece is really important so you can know where to focus because there's not an infinite amount of resources and time that can be applied to these problems.

So you have to prioritise what's important, and that's the role of the CISO in understanding that maturity across those different domains, and then how do you make sure that the businesses are working on adding security to the most important bits?

BT: Are organisations opening up to the idea of hiring CISOs?

Anthony Grieco: So CISO, as a title, is ultimately a representation of who's in charge of security. When you look across the globe, it is common to see CISO roles, especially in more mature organisations. So particularly when you get to the size of a couple of 1000 employees, maybe 5000 employees, you tend to see someone who is ultimately in charge of security.

And in fact, there are many different business models that have evolved around this, where you can get virtual CISOs. Maybe they can't afford or don't need a full-time CISO. They can outsource that as a part of their overall maturity from a security perspective. It's quite common to see a CISO role, especially in larger organisations.

BT: How can CISOs stay relevant given the changing threat landscape?

Anthony Grieco: That’s a good question. I struggle with that every day. So when I think about threats and how to stay up-to-date with what's going on from a threat perspective, I lean heavily on our Talos organisation, and frankly, many of their public documents are the ones that are really useful for understanding more details about what the threats are. There's a bunch of good podcasts I personally consume that help me keep up to date on what's happening with bad actors.

But I think when I look historically, CISOs typically come from security centre worlds, so keeping up with threats is kind of the day job. The stretch for most CISOs is how do you engage with the rest of the business? How do you not just think about security? How do you think about security and business at the same time? And so, oftentimes, people who have a security mindset don't understand the nuance of business and how to prioritise within it. So I think that's actually the bigger challenge for most CISOs, from my experience.

BT: With new age technologies like generative AI, quantum computing, etc., how do you see them as a friend and as a foe? Because they can play both roles.

Anthony Grieco: This is my first trip since 2019, thanks to COVID. I am blown away at the digital transformation that has happened in India just in those four years, and so the level of utilisation of technology and the spending that's happening in technology are really out of this world from an outsider's point of view. So it's been fun to experience it.

When I look at generative AI and quantum, I am an optimist when it comes to generative AI and the ability that we can use it to build better security and better capabilities to provide security to our employees and to our customers through our products and our portfolio.

The flip side of it is that absolutely adversaries are using it already today to be more efficient and effective. The effectiveness of traditional types of attacks like phishing and others has certainly gotten way better, and there's no doubt about that as a result of the generative AI revolution that we've seen. But we've also seen and believe that there's a lot of relevance to the time from a vulnerability being announced to the time there's actual exploitation has shrunk, and generative AI certainly can help play a role in that from an adversarial perspective. Now that's to the bad.

To the good, we have an amazing opportunity, and in fact, we're building it into our portfolio to help defenders, people who are expected to help enterprises and customers defend themselves, be more efficient and effective. So, we built in chatbot capabilities into our portfolio, which allows for more efficient and optimised operations in plain language.

When I think about quantum, this, for me, from a cybersecurity perspective, is one that is still evolving. It's not nearly as mature in terms of what the possibilities are. Certainly, the existence of a quantum computer would create a bunch of security risks and traditional cryptography. So a lot of work is happening right now to create quantum-resistant cryptography, which would not create the vulnerability, and if a quantum computer were created, that's where a lot of our focus as a company is: helping make sure that the defensive mechanisms that are in place to protect data in particular would be safe in the face of the existence of quantum.

BT: Governments across the world, including India, are now looking at regulating generative AI. Is it going to really slow down innovation around these new-age technologies?

Anthony Grieco: This is the challenge that we all have: how do we enable the advancement at the pace it's needed while looking out for its total impact? So, when I think about it from a security perspective, it's really important that we look at how we use this technology rapidly to provide better security to our customers. If you look at how Cisco thinks about this problem, in particular, we focus on our responsible AI initiative. We've got a lot of things that we can share around that, but we have built them into our process whenever we're using AI inside our company. We have a process by which we consider the impact bias, other security issues, and larger social implications around the use of AI as part of the process where we decide whether we should be using it and for what purposes. Those sorts of frameworks are really important for people to consider in the context of how we do these things responsibly.

We think of trust as something more than just security resilience. We think about security, and we think about the ability to make sure that things have been done responsibly with things like responsible AI. And so when we talk to customers, it's about trust. It is about all of the things that are being done across all those different domains. And in particular, when you look at a country like India, with the trillion-dollar digital economy that's being built, the notion of building trust becomes essential.