Skip to main content

Perspectives Home / SECURITY

The Hidden Foundation of AI That Many Tech Leaders May Overlook

Leaders will miss out on the real potential of AI unless they can get a handle on one critical thing.

A black and white image of a waterfall with a gradient border line following the overhang.

AI is poised to be as important as the PC, the internet, the first smart phones — all technologies that have fundamentally changed the way we live and work. On October 30, President Biden even issued an executive order (EO) on “safe, secure, and trustworthy artificial intelligence” covering the need to establish new standards for privacy, setting guidelines to curb potential discrimination as a result of AI use or algorithms, and mandating guidance for government agency AI use.

That the government officially recognizes that importance with something like an executive order is positive. And it makes sense that there’s so much focus on responsibility guardrails for AI, concerns for bias, concerns for strengthening inequities; AI carries a significant level of responsibility, which we must balance with a tremendous amount of positive impact. This executive order may be the first step in a long road to AI regulation.

But based on my experience over nearly 30 years in global information security and risk management, including as a Chief Digital Trust Officer and CISO, this executive order highlights one major piece of the puzzle that’s missing from many of these discussions, both in the public and private sectors: the importance of data. Simply put, it’s dangerous for AI itself to get more attention than the challenges of proper data management, data governance and data security. If business leaders don’t start thinking about it, they’re going to miss out.

The algorithm is important, but the data it runs on is foundational

AI’s power is tethered to the data that's used to train it and the data that the AI is acting on. If we don’t pay enough attention to the data issues and focus only on the algorithmic issues, we’re not looking at the whole picture. Biased algorithms can be pretty difficult to design. What's usually biased is the data that's training it.

Generative AI advancements like that of OpenAI were mostly trained on what's accessible on the public internet, like Wikipedia and Reddit. What's really going to move the needle from a corporate perspective is a company’s ability to leverage its own data to train the AI — especially what I would call “operational data”: Your financial system data, all of your ERP data. If you're in an intellectual property industry, you're developing new products or new capabilities. You've got all sorts of intellectual property in your research and development, and all of that data is really, really juicy.

There are many challenges here: most companies’ data is quite confidential. Until recently, the technology to monitor the broad set of data that most companies have has not been adequate, and the technologies that do exist are largely focused on things like email or office documents — things that human beings write. That aforementioned operational data is harder to access. Plus, data is in different formats and different systems, and is growing very rapidly. Finally, not many businesses have control of the data because it’s stored in different places, like the cloud. It moves around quite a bit and its sensitivity may change quickly.

So here is my advice to leaders, if they want to make the most of this AI moment:

  1. Get full observability of your data. For any business leader who wants to really leverage the power of AI for their company, they've got to get a handle on that type of data. I suspect for most industries it's difficult to know where it is, how it's moving and how it's changing. And it's going to be growing significantly more in the future than it is now, because data is becoming a new oil; data is being generated by everything. It's being used by everything. Any business that wasn't dependent on data before is now or will be.

    For example, healthcare is driving the world's largest amount of data. That’s only going to get bigger for that industry, especially when you start thinking about things like Fitbit data, iWatch data, wearables that people are using to manage their health and fitness. Medical providers are going to use those types of tools much more for providing and managing care, and add all that data to this system. And that’s just one example where handling the challenges of today isn't going to be sufficient.

  2. Collaborate to define data governance. My primary recommendation for security and IT leaders is not to assume that they can handle data governance alone. There are a lot of security groups out there who are too disconnected from the business because they tend to remain focused on the technology side of security. They don't recognize how the business is using data. Security leaders do have an advantage that they should lean on, though: that they need to understand how the entire business operates to be effective. They don't just sit in research and development, or in commercial or manufacturing or HR or legal. They have to cover the entire company.

    If no one else is driving these discussions, then security and IT leadership could leverage that responsibility and level of scope to start these discussions, especially if no one else is. But it’s critical to recognize that they need people from the business to get involved and understand what their role is in owning and stewarding data.

    In the past, an R&D or marketing or procurement leader may not recognize that their line of business, their function and their organization generates and requires data to run. Maybe they assume that IT would take care of that. Now they own that data. They understand its value to the business. They understand its appropriate use. They understand the insights they want to get out of it, and they have to step up and understand what that means from a roles and responsibilities perspective.

  3. Once those conversations begin, adapt your security and risk mindset. You can start coaching and understanding the risky scenarios that may impact that data harmfully or inappropriately. Discuss what’s most important to the business. That’s important too, because in many organizations, maybe 10-15% of the data is the most sensitive that could impact business negatively if it's compromised or exposed. How do you navigate all the data that you have and find that 10-15%? You need the business's help to do that.

  4. Prepare to up-level your data protection and access control capabilities. Most security organizations have built their data protection capabilities around DLP, and their access control governance around on-premises applications. Neither is sufficient for the massive growth and dynamics of today's data models. Building on the visibility and understanding of data I’ve already mentioned, we must build and operationalize modern data security and access control capabilities to address today's and tomorrow's challenges of cloud scale, variability of data and access models and context of lifecycle and usage.

In sum, your data could fuel the most helpful AI for your organization — if you can get to it, govern it and act on it meaningfully.

Mike Towers has three decades of experience in digital trust, data protection, global information security and risk management. He is a strategic advisor and board member, has served as a chief digital trust officer and CISO for multinational corporations like Takeda, Allergan and GlaxoSmithKline, and is the founder and principal of Digital Trust Group.

Related content

NOVEMBER 2, 2023

How the C-Suite Should Think About AI Today

Read more Perspectives by Splunk

SEPTEMBER 7, 2023 • 3 minute read

How Leaders Can Ease Generative AI Growing Pains for Their Workforce

Will generative AI improve employee resilience or cause massive headaches? Splunk's Petra Jenner discusses with analysts Daniel Newman and Pat Moorhead.

OCTOBER 25, 2023 • 7 minute read

13 Tech and Security Trends to Look Out for in 2024, According to CxOs

CTOs, CIOs and CISOs from across industries weigh in on what to expect for AI, zero trust, talent and more.

OCTOBER 18, 2023 • 4 minutes

How CISOs Are (and Aren’t) Using Generative AI

Are you leading, following or middle of the pack?

Get more perspectives from security, IT and engineering leaders delivered straight to your inbox.