Two things you need in place to successfully adopt AI

Organizations should not shy away from taking advantage of AI tools, but they need to find the right balance between maximizing efficiency and mitigating organizational risk. They need to put in place:

1. A seamless AI security policy

AI may have previously been a technology that only developers or specialists interacted with, but today, at all levels within companies, employees use AI to assist them in various tasks. Organizations must therefore educate all employees on which LLMs and agent applications they are authorized to use and the type of data they are allowed to share with these systems.

A well-defined policy is essential for companies to deploy and leverage this technology securely. This technology will continue to move fast and innovate giving automation and machines more power in organizational decision-making, and the first line of defense for companies is a clear, accessible AI policy that the whole company is aware of and subscribes to.

Enforcing a security policy also means defining what risk ratings are acceptable for an organization, and the ability to reprioritize the risk ratings as the environment changes.

There are always going to be errors and false positives. Different organizations have different risk tolerances or different interpretations depending on their operations and data sensitivity.

It is important that organizations remember that the goal of a security policy is to not interrupt employee workflows or make it hard to follow but ultimately to protect the organization and its customers. The more seamless the security policies are, the less likely those within a company will try to bypass them to leverage AI innovation.

2. Make sure developers have secure code knowledge

In addition to rolling out clear security policies around the use of AI, companies must also consider their developers’ desire to use new AI tools and agents to help them write code at a faster rate. In this case, companies must ensure that their security teams have tested the prospective AI tools and that their developers are trained in writing code securely, with extensive knowledge of common vulnerabilities, secure design principles, and the secure implementation of software features – continuously upskilling themselves.

Having a developer with such knowledge could be the difference between a breach taking place in production or not and protecting organizations from potential vulnerabilities and malicious attacks that may arise from increased AI adoption.

The reality is, however, that only a minority of developers learn in college or university settings, and even then, not one of the top 50 undergraduate computer science programs in the US requires a course in secure code or application security for majors.

Developers need to have a secure code mindset that extends beyond basic coding knowledge. Code written by developers needs to be clear, elegant, and secure. If it is not, it leaves that written code open for attack. Secure coding training driven by industry is, therefore, a must and must be built into an organization’s DNA, especially during a time when the already prevalent AppSec dilemma is being intensified by the current tech layoffs.

This training should:

Go beyond “tick-box” awareness

One-off education programs are no longer enough; education must be an evolving journey for better architectural understanding and decision-making. It should never be a tick-box, “one-and-done” approach, but instead a continuous process. In an era of fast-moving malicious AI agents, zero-day vulnerabilities and supply chains that incorporate increasingly complex elements, education must evolve alongside security threats to empower teams with current knowledge.

Set measurable goals

To ensure any training program is successful, it is important to gather information that can be used to measure progress. This might be, for example, the number of vulnerabilities that appear within a developer’s code before and after training.

As developers progress through their training, providing feedback helps to incentivize improvement and ensures employees stay engaged with their security champions program. Providing tangible reports also helps to get buy-in and support from stakeholders. By sharing proven success, security training doesn’t have to be constantly defended to a board of directors.

Remain relevant

It is important that training changes according to the day-to-day issues and workflows of developers, in their relevant coding language and specific to the role they have in the organization. No education will resonate if it’s far too advanced, too basic or irrelevant to the languages and problems developers use each day. What’s more, it’s critical the developers are provided with context – not just what the solution is, but why it matters.

Incentivize security success

Organizations should be offering incentives and rewards to those who are consistently applying security best practices in their day-to-day work. These don’t have to be monetary, but whatever best suits the culture of a business. Security “champions” can then set examples, engage others, and organically influence change.