Oct 23, 2024

By John Visneski , CISO at Sumo Logic John Visneski,  Sumo Logic’s CISO, provides guidance on how companies can identify the best AI security solutions for their needs. This article originally appeared in Insight Jam , an enterprise IT community that enables human conversation on AI. Imagine a company eagerly investing in a “cutting-edge” AI-powered security tool that promises to revolutionize its Security Operations Center (SOC) through autonomous threat detection and response. The company, lured in by flashy marketing materials, implements the tool expecting significant improvements in efficiency and cost-savings. Only months later does the company discover that the tool is a glorified automation script with no true AI capabilities. No meaningful savings materialize, security vulnerabilities persist, and a preventable breach damages the company’s reputation. Unfortunately, this scenario is not unique; it’s a classic case of AI washing, which has been plaguing the security industry and gaining more recognition with the advent of generative AI. What is AI Washing? AI washing refers to the marketing practice of overstating or outright fabricating the role of AI in their products to make them seem more advanced or cutting-edge than they are. This practice is particularly rampant in the security space, with many vendors promising AI-powered solutions that can automate threat detection, network monitoring, incident response, or vulnerability management. For example, imagine buying a junker car marketed as brand new. You expect it to drive smoothly, but soon enough, the car is constantly breaking down, leading to unexpected repair costs and a loss of trust in the dealership that sold you the vehicle. Similarly, companies invest in overhyped AI tools without understanding their true capabilities, leading to costly missteps. As AI developments continue to attract global attention, more companies are eager to claim their technology is AI-enabled—whether it is or not. Buyers seeking AI products must watch out for exaggerated claims and maintain a methodical approach to vetting potential solutions. The Pitfalls of Falling for the Hype For companies that fall victim to AI washing, consequences typically come from operational inefficiencies, wasted capital, and exploitable vulnerabilities. AI-washed capabilities often force teams to revert to manual threat management, creating unexpected workload and labor cost increases. These tools may also miss threats altogether, exposing the organization’s infrastructure to easily avoidable breaches. Given all of this, how can businesses protect themselves from AI washing? The key lies in asking the right questions, diving into the tech and the data behind it, and approaching the new world of AI with a healthy dose of skepticism. Here are three critical strategies for organizations to consider when weighing AI options. 1) Follow the Data AI thrives on data. Large, well-trained large language models (LLMs) require immense amounts of data to function effectively, making the quantity and quality of available data available critical to a vendor. Vendors like AWS, Google, and Microsoft have the advantage of vast data lakes, enabling them to build and refine comprehensive AI tools effectively. On the other hand, unless smaller vendors are working with partners, they often don’t have access to the quantity of quality data necessary to build effective AI solutions. When evaluating solutions, ensure the vendor has a sufficient and diverse data set to train their AI model. 2) Have Data Scientists on Staff When evaluating AI vendors, a strong indicator of the solutions’ authenticity and quality is the composition of their teams. While many startups offer innovative approaches, be sure to vet them carefully. Ensure the vendor has AI experts directly involved in product development, providing the critical expertise needed to enhance the solution. Beyond leadership, look for a dedicated team of data scientists or AI engineers who have experience working with AI tools and large data sets. Vendors relying solely on developers without specific AI expertise are more likely to offer AI-washed solutions. A team with this depth of expertise can better assess and validate the capabilities of their AI technology, ensuring you’re choosing a genuinely AI-powered solution. 3) Ask for Proof Don’t take a vendor’s word at face value. Request white papers, case studies, and metrics that demonstrate that the solution is performing as marketed. While vendors might be hesitant to show proof due to proprietary information, it’s essential to feel confident that the AI solution in question will accomplish the desired objectives before purchasing. Be sure to thoroughly review any shared materials before signing any agreement to validate that the product can deliver on its promises. Avoiding the Pitfalls of AI-Washed Solutions Unintentionally investing in AI-washed solutions can have severe consequences and prevent organizations from achieving their cybersecurity goals. Organizations may find themselves overpaying for lackluster technology, only increasing analyst burnout and leaving critical vulnerabilities unprotected. AI, like machine learning, has already improved how our security teams respond to threats today. The hype is real, but it’s important to remain realistic. The key to navigating the world of AI-powered security solutions and claims is vigilance. By looking at AI solutions with a skeptical eye and identifying the gaps between marketing promises and reality, security professionals can avoid the costly mistake of investing in over-hyped, AI-washed solutions. Share This Tags