Events Add an event Speakers Talks Collections
 
Brett Tucker
Technical Manager, Cyber Risk Management at Technical Manager, Cyber Risk Management Company NameSoftware Engineering Institute | Carnegie Mellon University
  • Video
  • Table of contents
  • Video
RSAC 365 Virtual Summit
January 27, 2021, Online
RSAC 365 Virtual Summit
Request Q&A
RSAC 365 Virtual Summit
From the conference
RSAC 365 Virtual Summit
Request Q&A
Video
Really a New Mouse Trap? Exploring Risks with Artificial Intelligence
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Add to favorites
119
I like 0
I dislike 0
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
  • Description
  • Transcript
  • Discussion

About the talk

Artificial Intelligence (AI) is all the rage; where the state of the art has prompted interest in its use across many industries. This discussion will provide insight to the risks related to this technology as well as mitigation strategies for reducing risk exposure, building resilience, and potentially saving money in the process.

About speaker

Brett Tucker
Technical Manager, Cyber Risk Management at Technical Manager, Cyber Risk Management Company NameSoftware Engineering Institute | Carnegie Mellon University

Brett Tucker is the Technical Manager of Cyber Risk Management in the CERT Program at Carnegie Mellon University’s Software Engineering Institute. Brett is responsible for a research and development portfolio focused on improving the security and resilience of the nation’s critical infrastructure and assets. Prior to the SEI, Brett was the Global Risk Manager for Westinghouse Electric Company where he managed the enterprise risk portfolio and global insurance programs. Brett also served at the CIA and is a veteran of the United States Navy. Brett holds a BS in Chemical Engineering from the University of Notre Dame, a Master of Engineering Management from Old Dominion University, and an MBA from Penn State University. Brett is a certified PMP, CISSP, and Six Sigma Black Belt.

View the profile
Share

Captain in my name is Brett Tucker and I am a technical manager of Cypress management at the software engineering Institute within Carnegie Mellon University to they are going to talk to you about artificial intelligence and risks related to it. Made my presentation is really A new mouse trap, exploring risks with artificial intelligence. This title is not an air. I'd like to make an argument or taste now and for the end of the presentation to bring up the idea that and I is a technology is great. It is exciting. It's been around for a while and

it's kind of coming back again to the harness. Is our technology and our Savvy gets better, but we should really be treating. It just as much as we treat any other technology risk new technologies that we bring into organization. So it's kind of go through that and talk about what we think about risk and how we would apply it to this new great Technologies. It's coming warranty. First, let's level set the entire audience. Here. It's what I mean by risk and there's a lot of be discussed here. But let's just start with the idea that

risk is nothing more than an uncertainty. Right? We live in times of uncertainty and I got to tell you I'm going to break your bubble here. That's the risk environment is really not Contracting. If anything we are seeing a lot more of this uncertainty come about as we have, are these friendships and technology and is as we have things like pandemics to take place, right? We get we recognize that we're living in this environment is ever shifting and we really need to learn to adapt. We need to learn to survive that and certainty and we do that through a process and hopefully as I

go through this you'll see a more standardized process. That way we can make better decisions. That's the goal. We want to make brisket inform decisions. Right? And that awareness is going to take us there. Now. I want to say one of the thing about risks that I want you to keep a Because a high is a great technology has lots of opportunity to it. So remember that and certainly can be linked to a threat. Just as much as an opportunity things that could impact our Enterprise negatively, just as much as things that are in certain that can affect us, positively, give us like some kind

of of uptick for organization. So at the end of the day, what we really can only account for here is the fact that uncertainty exists that we can, and we can think about risk and a lot of different ways. The way we Define it right before today. Listen to argue, that risk is an attorney that's going to result in some kind of consequence. It's going to lead to an impact our way that we feel pain if you will write. So that risk or that that consequence that impact is going to come about from some rest,

some actor. And by the way, it doesn't answer. I have to be a human being as an actor. We recognize that there could be a Advantix II take place like a tornado hurricane pandemic. Something like ten toes going to come along and it could be external to organization or could be like an inside of that. Somebody is in the organization to his acting maliciously, or it could be somebody who is just maybe ignorant and makes mistake. We all make mistakes. It could be the case, right? And these risks, they happen with an environment, some kind of condition has to exist. Now, in cyberspace. We all know

this in terms of being a vulnerability in those of us who are familiar with a recent solar winds of, and all that. We found, that their granddaughter bill is to be found in our systems that we are using our assets are played with them. So, these conditions exist and we must address him a message in, defy them. And if we can take that wheel that card out of this mess year, we can find it. We can really kind of the limit or mitigate our exposure to that risk, if we eliminate all threats, educate our people so that there's no such thing as a mistake that can be made. Enterprise or we could. As

another example, Dial Dial away Olympic, maybe we make it so that we don't necessarily feel pain. If it does come to fruition. Either way, we're going to treat these conditions in these elements of risk such that we can respond to them and eliminate or reduce. Actually will never completely. And I'm a respirator always be residual board, use that explosion. Remember, I said that we can, the good news is that we can address these risks and standardized manner that said, this is a very, very general process for addressing any risk. I'd like to point you. I have a

reference to apply the very end of this for those interested that I just wrote a publication of technical note for October 14th, which is a standard risk management process for Enterprise risk an organization. Connecting sistos to Enterprise risk in a in a better scent. Are you decide to use? You're going to find it? They all have roughly the same though, right? We're going to plan for the plant identifier wrist. We're going to analyze them. So we're going to assume that this has been done with artificial intelligence today. It's going to talk about it. Right?

But I can't say more. I can't provide any more greater emphasis that you want to attack. This problem in a standardized Manor, much like you would any other risky Enterprise Sheree. I may be special. It's got great benefits, or or maybe it's something that your organization's never seen before but you must approach it. As you would have all of your other risk, okay. So let's talk a little bit more about, the matter at hand, write the technology piece than artificial intelligence inside. Now do we have lots of great experts at the stop sign and not necessarily one of

them. So I don't like playing that. I am a risk expert though. And I would argue that as I've gone down this path. I've learned a little bit. The fact it's a new technology. That's an obvious one. Right? But I have learned for sure, the AI much like other technologies that we've seen in the past are truly here to be a market and maybe not even think about military's using this kind of Technology could be a very significant. We know that we have to address these risks. Not only in terms of How It's implemented

organization, how it's being used. But also how we're ingesting. This is a new asset into the organization. Right. Once again, let's revisit this Friday. If we can dial away, the impact, if we can make it. So we don't feel the pain or maybe we eliminate the threat actor. Or maybe, at some point. We can control the fact that we have no more abilities, or we control the condition that we've overall, reduce that risk exposure. And that's what we're shooting for in this regard. Okay. So there are a couple ways that I've sliced and diced, artificial intelligence and bought us some

high-level risk that you may want to address in your registers your risk register. I'm going to go through each of these at greater detail, but I want you to know that these items I have listed here until Define problem statement that has. Maybe there's a lack of expertise in the organization and then maybe there's challenges with the model and the way that we have the system managing the data within that model. Maybe we have unrealistic expectations from stakeholders. And once again, there's challenges with data, lack of the ability to verify the model. Peace. Maybe these are all

connected in a in a sense, right? You don't want to deny yourself the ability to identify the inner dependency between each of these elements and understand that is am addressing one rest there. Maybe benefit them addressing multiple others. See me your things repeated, but that's important that your Hearing Solutions being repeated from one another because there's going to be an efficiency or a savings on the economy of scale here. Okay, so let's go into the details here and talk about each of these. Let's talk about an ill-defined problem statement. And I love to think about this in

terms of the pandemic that we are just recently suffering with covid-19 in 2019, that there would be a pandemic that would be so profound as to bring our economy to a halt and I would challenge any of you that it would be really Shift of your Paradigm work Destructor for you to start thinking about. Well, how does that pandemic play in my organization? I mean, I thought of all the elements and I thought about how the organization's interface with me and how they are

impacted. So now, you have a supply chain risk management issue, you all this goes CID have hired to find your problem statement. It's not just a little pieces to it. Right? And artificial intelligence is no different, right. Once again, you had this matter where your ingesting this asset. This technology has sent you organization. And you bring this technology in. You have a provider of some kind of supply chain element. That is going to be helping you with an FM station. Maybe your Bryant buying off-the-shelf product. Maybe if someone that's actually developing for you or maybe you're

developing an in-house. That said, whoever it is, that's helping you do this. Whether its internal external do, deep deep, search of requirement exploration here to understand, where you going with it, what you want to get out of it, right? And it's all comes down to re requirements expiration. Let's face it too. If you don't understand a problem in its entirety, it's always best to decompose it. Chunk it up. Right? If we put it in the little cards and we

address each other apart and maybe you see is just one element of a solution for 1 hard. We've effectively diluted that risk. That may be rooted in the whole write another words. If we don't use a, i and other elements of this problem that we have decomposed. If this one part goes wrong, maybe it won't and our whole real, your whole existence of our organization. Bring it in. In a, in a migratory sense, an idea that you may also want to consider an atom with imitation of some sort. Right? Let's take it a step at a time. If you well and unless

bring in pieces and parts and understand how those pieces and parts are interacting an organization. And that way we can really kind of get on top of this idea that we're understanding the problem as we get smarter about its implementation piece by piece with this agile. Okay, and we all know this, you guys are all sitting in this audience, whether you're home, or maybe you're with a group of folks, and, you know, that you come from a very Rickard background, right? Whether you're home grown and you learn to be a hacker in your basement, you still put

in the effort and it took a lot to learn that technology or whether you've gone through those Advanced degrees in and you have such a profound body of expertise for elements of cybersecurity and maybe even artificial intelligence that pedigree was not easy and it was not easy to achieve, right? So as you get that, you understand to that this is a team sport and you cannot be the only person. The organization is doing this work. If you are, by the way, that's a risk in and of itself cuz you're a linchpin, right? If something happens to you, the organization's going to come to

a screeching halt. So we understand that we need more people with the skills and abilities that are Made it to this artificial intelligence as a tool, right? And I mean, think about all the pieces that go with that. I mean, we have people who have expertise to data collection and system engineering, a model development and even just how to decompose these things and they're not easy to find. Okay. So, how do we address this? Right? What are we going to do? I would argue that organizations should have a a

strong human resource strategy, in terms of how you do recruiting. Where are you in the recruiting from? This is not really are. Once again, this is one of those elements. Where is Rebecca ball cross. Many different technology sore wrist in general or demands here and You're going to have to consider, you know, what kind of resources you can bring the table to hire these people that bring the special expertise to the table. So that said, do not deny the fact that you have people within your organization who may be thirsting to understand artificial intelligence more who was looking for those

additional opportunities and there's an and educating them on your organization in and getting the warrior with your culture and your mission trying to find people in house that you can educate and provide that little boost of help. Maybe you sent him doing RSA conference. Maybe you send them to school and I have that and intellect and have that skill. Said fostered in house, but it takes time the long game, right? So you can't just go tasks. We make decisions about educating Workforce. It takes pain. I'm in energy. This is a big one to be putting time and energy

to Okay, so let's talk about customers now cuz we talked about we we think we had a problem and we know that we have people are going to dress that problem. And at the same time, we know that there's going to be somebody's paying the bills right now and let's face it. Anyone is work on any kind of project before. Knows that customer expectations can be challenging it, right? There's a lot of talk about main requirements and you put it in a nice special tool. Yes. Even time off to to the function that you have. This is going back, that Apple development.

We address each requirement one woman at a time and yet you run into this challenge here, where the customers not happy. I mean, I like to think of this actually in terms of new Coca-Cola, anybody from back in the 80s. We had new Coke, right? And Coca-Cola came out with this great product, their modifying, the recipe, and it was a complete Nutter earlier, right? And it was because the customers had different expectations that they had a product in mind that they, they wanted to be satisfied, anomaly and taste. But it had to have that certain saquon. That's her. No

limit of this is Coca-Cola in my mind is amazing. It, and you didn't make that connection and we can talk about that and not just the soft drink industry, you know, I think of your Crystal Pepsi and all products that have gone to past but we can think about this and other Industries as well, right? Where the customers that came in had these great ideas of things that they wanted to Justin get. Artificial intelligence is no different rank. So we need to educate our customers. We need them to understand that the things that were having done with this technology. And that is a decision

that automated decision-making. This taking place at just a faster rate than what humans would, and maybe even a little more standardized. Maybe it's got the ability to invest data, grade arrays, faster than human could and make decisions that. All said, the customer needs to understand that that's being done with technology. That could be fought, their decisions that still could be made in properly because you want me to be your model has fallen. Or maybe your dad has poison and a customer center stand there. Getting this artificial intelligent technology

and they're using it. That their expectations may not necessarily be made. Okay. So once again is where educating these customers and we understand or they understand better, what they're getting, they have to understand to that their risk appetite and risk appetite. Let's go back and visit that per second is the amount of risk that were willing to take into an organization. So you have to tell your customer. Hey, you're bringing and it may make a mistake and it may cost you $6. May be a detriment to the safety of employees

and organization. And you start talking about. Well, let's face it. We're making decisions on how equipment has been a functioning and if that equipment should a half and to harm somebody or or do damage to your organization operation. You're going to run into some problems and you need to understand how that's going to happen. Am I right there? Stop the idea of an appetite space of an organization, 1 and even adopt a i and so it was better understood or until it's proven itself. Okay. So now you can miss a customer yesterday is the

thing you need. You got that team and they're educated. They know what they're doing. Right? Dad said, you got to recognize to that your environment and your problem is always shifting. You may have to find it a one day, but the next day it is completely falling apart. And this is your fight is great. And I you think you have a great plan until you get punched in. The face was a Tyson. I don't know. I'm not a big boxer but let's face it. That's a truism for anything that you're working with your with respect to building

models around for. All right. We're trying to figure out how we can use a model within a system that's going to use that its adjusted and it's going to make decisions with that data and it's going to take action. And we have to understand that if elements of that picture of change within that model, and I like to think about maybe a. Let's think about a battlefield. For example, we're making decisions real time on how to employ Assets in the battlefield. Geography, weather confuse. The enemy may use different tactics. All these things may go to

impacting how your model was designed in and that the solution that it was seeking. So, all that said, your risk is your uncertainty and the execution of that model is being our time again. So once again, what do we want to think about here? Well, clearly requirement. Expiration was a big thing. Right? And by the way, it's not just, the idea of fun is your bringing. Yes, it in the organization, but you realize that there's a life cycle to it along with the a solution products. Entire life. Things are always Shifting, the environment is

changing and you need to have That requirements exploration process to never end. It needs to be interactive with the life of this technology to bring you. But that's right. You have to have a nibble software architecture and understand it. As I'm bringing new elements into this model that it's flexible enough to take these changes on and operant behavior way. Then I expected which can also in and of itself be challenging. So that way you may decide. Okay. So if I'm going to be doing this, the software architecture used to be developed in an iterative manner. So, once

again, let's get together and understand how they work best and then we'll start adding on a tinker mentally. Okay. So now the exciting part right now, we talked about like real AI challenge in terms of adapt and we all recognize that artificial intelligence service for you hear about lakes and Bulls and oceans data, right? And there's a lot of different things to talk about here. Let's the idea first that we all know that there's a right and who were speaking to their is, is how usable or how useful is that

data that were collecting for answering the solution? Answering the problem that we're trying to solve, right? How fast does it, take the model that were using? And then you have to worry about well, okay, is this information accurate? So the data how good is it? And and that could go to all types of questions where you collect? How are you collecting? What kind of sensors are you using? Despite using their very correct sensor that I know I need. And despite going to the right location and getting it from the right spot. It could be victimized. I mean the data could be poison

will come in and do make changes to their alter or do something to it to make it so that it it it is going to lead you down and improper path or it's going to break your model and you're not going to get the right answer. There could be buying stew and how your model was developed in terms of favoring one data, set versus another or elements of data sets. There may be more important have greater priority. Maybe you have a broken sensor or maybe your strategy for implementation of Those sensors and software. So you could have a faulty

data collection that regard and we always struggle with this idea of having enough that as well. So bear in mind too. That a low volume of data could limit our ability to implement this artificial intelligence in the way that we want to see fit. So what are we going to do here? So there's a lot of things to think about here that I'm going to talk about it, but Dad said, there's probably a whole lot more. Okay. So let's just start at the real basic level of thinking about the model that you've developed and how the data is being used, how it's being corrected. And how

often do I have to refresh that data? You what I think about is Ashley's with elections and I'm not here to get political on you. But what I am to think about trying to think about is, you see pools that are you happening leading up to an election like every week or something like that? That refresh rate is really high. And by the way, it's costing a whole lot of money, right? And the funny thing is, is you watch the poles. There's really not a lot of shifts in one week to another Dad said, you'll see two wheelers 200. Will this pole is trending

a while back in January and now in November it's changed or shifted. So you want to think about how you refresh your data, what you want to think about? Am I really going to want to expunge or get rid of old data if I do? How long is the temporal or am I doing it based on quality? Am I doing it? Because I've changed. My model. So there's a lot of things to think about dinner in terms of how much is that? Are you going to keep? You're also going to think about what you've collected it. How many Queen you know, Jana can be noisy and we all know this right? We see where I you have a

burn data that's going to come in and maybe not fit them all that you're thinking or maybe it's just noise, right? I like to think about those balls, you know, you get people have all different types of opinions and and some of that may not necessarily fit the question you even asking so you're going to think about how am I going to clean that data? How many you get to a point where my system and use it to make and discern a proper decision when I'm looking for? Now that cost a lot of money last time it takes special, people who have training to sit down and look at it.

Maybe you could automate element 7, but the end of the day you're going to have to have somebody checking my son that subject matter experts they have to come in and recognize that there's some element meaning that's going to be need to be done. Okay. Once again, we're hitting upon the interdependence idea here to think back to the slide where I talked about the lack of expertise in organization. You may hire Alice, but it's going to take some significant training for them to understand one thing and what they're going to do with it, right? So something to keep in mind.

Now, let's see who's assuming this far, and we even have something stood up and we didn't have decisions being made in artificial intelligence, is Steven Wright along in your enterprising and maybe automated decisions with respect to selecting configuration of controls in your security staff. I controls solution for your organization such as it senses breast in the environment and its knows and understands and identifies home abilities. And it's making these risk-based decisions to literally go in and change your controls

back. So that way I did the gates stay up at all times and in the bad guys are not getting in your organization. Beef and all right, but I'm here to say that it's going to be really challenging understand it how you verify that their correct correct? Decisions are being made. Let me give you an example. Think about it this way. We all know that is we modifier controls that that there's a balance that struck their right as we limit. The number of people that can come through a firewall and access the services that were providing as those controls the shifting. We may be

blocking out some customers. We may be as I've talked about before making decisions or the AI may be making decisions. They're actually putting some customers in Jeopardy. Maybe if they were lying your services for life-saving kind of services. This could be really important, right? Do you want to think about how is it going to hurt izing? These decisions are being made in my educating the customer service, if they know that the decisions being made are the ones that they need are the ones that they weren't once. Again, go revisit the

expectations by and tie it all together. And you can see that this register really has some silver threads of commonality going through it. Right? So what are some things that we can do here? Well, first of all, you have to have an understanding or know what you're expecting from the technology solution. Each selected the questions. Am I trying to answer and how do I expect them to be answered? This question of sovereignty example for you, right? Know that we want to, I keep out apts or advanced persistent threats. We want to keep our folks from getting into our

system. Work boss come into our system and doing any significant damage to think about that that confidence and integrity availability idea. Okay. Fair enough, right, but that said we know that our appetite for those things may be changing over time. Maybe we have Dad in our system that has maybe grown old and no longer has a system. So how do I verify that, you know, eventually that data that it was worth the the resource that I've invested in protecting. So once again something that

you may start dismissing or maybe assuming that is is almost a foregone conclusion as a customer because you're taking this a, i for granted. But Dad said, all the while you could be losing sight of those critical priorities in your organization. Okay. So now as we come to the end of the presentation, in the sense, you're the best saying. What do I do? What do I consider her? Where do I go next? So, there's some thoughts. I want to leave you with here. And this line is probably the biggest takeaway that you're

going to want from this whole discussion. Right? We talked a lot about artificial intelligence. We talked a lot about risk for what's on me. I think a technologist in as technology managers out there in the audience. We really want to think about how we're going to manage this technology. What are we going to do with it? And not only that, I must be. Do we have the technology piece of paper? And what we expect of our employees, are her organization of our customers to behave to feed the data in the system, or maybe they're people who are going to be using the

results. We need to think about that. How we're going to manage that technology. Yo, I think again about the current pandemic situation that we're in. This is the idea that if we had a policy to tell people how to work remotely. I we would have had a grand panic when everybody was forced to stay home. And you'll february-march time frame. And we could have really talked through how to manage that the technology that they were take home with them and been a little bit more fact. It is some organization,

some thoughts here, and how you can manage that and get the connection of policy and Technology. I would recommend that you set up a Technology Council for your organization. If you don't already have one, they need to be considering the ingestion of this artificial intelligence and they should also have a real strong tie to your risk management program that you have in your organization. Maybe you have a strong Enterprise risk management program. Maybe you have is Farmers Nation program. Can your sister organization. Either way, it was tied

need to be strong between your this Technology Council subject matter, experts, and their discussion with risk management, experts to understand how that ties to the technology that you're bringing in and the decisions that you're making in your organization. So you don't still want to think about what, where's the technology going to be in a minute? Is it going to be within a certain function of my reservation? What services will be impacted? What customers will be impacted. And you need to think about the appetite that you have for serving those customers and or possibly

failing. If you think about it, right? This technology is nothing more than doing human things and making decisions faster, right? Are you comfortable with that speed of the technology making this decision? And in the time of place that it's take that these decisions being made? Are you with the results that you're getting is your customer counter where the results that they're getting in that regard to? And finally, we don't want to walk away from the idea of continually revisiting the equation of that, that balance between the wrist that you're taking

and the results that you're getting right? Am I getting a return on that risk investment in artificial intelligence? As you can get to a point where we're talking about that data collection of that dad is just so expensive is prohibited and in terms of what you're getting at in terms of benefit, in terms of automating that decision being made, or she was having someone who just have some subject matter expertise in a nice strong government structure that they could consult with make the decision and you can move along smartly. Now, use a real powerful example, with artificial

intelligence in modifying and updating your back. I could be very much a place where there is a strong term investment, if that's the case, someone needs to continually, revisit that model and make sure that the decisions being made are not hurting. You in terms of your customer base in terms of Revenue in terms of delivering those critical services that makes your organization go. Okay. So the end of the day I want to say that technology in in terms of artificial intelligence isn't magical right there a lot of cases where we've done this before. We have ingested other

Technologies. If you recall back in the day when mobile devices were coming in Vogue and we were trying to incorporate those more into our daily tasks. And organizations. I remember myself owning a Blackberry at one point that was exciting right before that is pompous and there is trying to figure out how does the technology fit in the organization? Rain, we kind of seen that before. How about, another example would be Cloud impatient. You seen that technology come along now, and we've seen organizations how to wrestle with her. The challenge. Is

there. One of your stay is whether it's artificial intelligence, implementation or mobile devices. There are a lot of common challenges here. We're trying to find the right people to answer the right question and understanding the bounds of that question. What our solution is trying to get to. Okay, so I invite you to reach out to me. I'll leave you with my contact information here. Please feel free to ask any questions. As you see, fit. I'm happy to serve. Thanks for your time.

Cackle comments for the website

Buy this talk

Access to the talk “Really a New Mouse Trap? Exploring Risks with Artificial Intelligence”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Ticket

Get access to all videos “RSAC 365 Virtual Summit”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Ticket

Similar talks

Jennifer Czaplewski
Director of the Product Security at Target
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Tomasz Bania
Cyber Defense Manager at Dolby
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Jason Rivera
Director, Strategic Threat Advisory Group at CrowdStrike
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Buy this video

Video
Access to the talk “Really a New Mouse Trap? Exploring Risks with Artificial Intelligence”
Available
In cart
Free
Free
Free
Free
Free
Free
Free
Free

Conference Cast

With ConferenceCast.tv, you get access to our library of the world's best conference talks.

Conference Cast
843 conferences
34172 speakers
12918 hours of content