Generative AI and Risk Management: Q&A With Senior Attest Services Consultant Devin Olsen

October 24, 2024 | AI

The rise of artificial intelligence (AI) and generative AI tools like ChatGPT has brought with it new opportunities—and new risks—for organizations and individuals alike. 

As generative AI continues to grow in popularity, we sat down with Devin Olsen, a senior consultant on BARR’s attest services team, to get an expert’s perspective on how this technology is changing the risk management landscape for businesses and individuals.

Q: What are some of the security risks that generative AI poses to businesses?

“The most concerning threats posed by generative AI are its capabilities for data management and social engineering. It can ingest massive amounts of data, be asked questions on that data in plain English, and return easily readable information, with no specialized database or query language knowledge required. AI tools can also enable increasingly sophisticated social engineering attacks by generating realistic documents and conversations with relatively little effort or technical prowess required. In the hands of highly trained and funded nation-state actors, AI could be used to upscale the generation of zero-day malware exploits and bypass current threat detection defenses.”

Q: What immediate steps can organizations take to mitigate these risks?

“AI doesn’t pose a direct threat that can be mitigated with a single defense mechanism. However, an increased focus on cybersecurity awareness and training for employees should be a top priority for any organization. The largest and most easily exploited risk factor in any organization is its people, and the increased sophistication of social engineering tools means the threats are harder to distinguish from genuine actions.”

Additionally, no technology should be integrated into an organization until it is properly understood and employees have been trained on its operation. Adopting technology before understanding the risks it poses can lead to catastrophic consequences, particularly when that technology has as broad a scope of impact as an AI tool.”

Q: What skills do you think will be essential for security professionals as technologies like these continue to advance?

“In the age of AI and automation, critical thinking is the most important skill for people to have. The ability to not only evaluate new data, but also interpret it in a meaningful capacity on the fly, and to make judgment calls tailored to that particular situation, is something robots cannot successfully emulate—yet.”

Q: What are some of the security risks that generative AI poses to individuals?

“There is a massive amount of data on the internet about everyone, including names, addresses, and phone numbers. Personal data is spread out across multiple platforms, and that includes data breach dumps on the dark web. A threat actor could use AI to ingest massive amounts of data and build complete profiles on individuals that include potentially compromising information, depending on the nature of the breach used. This could lead to multiple attack vectors, ranging from simple spear-phishing attacks to detailed impersonations, or even outright blackmail.”

Q: Has the rise of new technologies like generative AI rendered traditional security best practices, like implementing multi-factor authentication (MFA), obsolete?

“I would argue that generative AI hasn’t advanced enough to make anything obsolete. It does, however, expand the capabilities of certain technologies and strategies, such as social engineering and data filtering.”

Frameworks like ISO 42001 and HITRUST’s AI Risk Management Assessment were designed to help AI-powered organizations navigate the modern risk landscape. Speak with our expert team to discuss adding these standards to your compliance program.

Devin Olsen is a senior consultant on the attest services team at BARR Advisory. In his current role, Devin specializes in planning and executing cyber risk engagements, including information technology audits against frameworks like SOC 2. Prior to joining the BARR team, Devin worked in education.

Let's Talk