Merritt Baer and Devon Bryan at FAIRCON25
AI changes everything - or does it? At the recent FAIR Conference, four experienced CISOs shared their front-line experience on what’s working and what needs a reset in cybersecurity in this period of profound disruption. Spoiler: FAIR and CRQ continue to prove their worth as highly adaptable tools for cyber decision intelligence.
Watch the video now: Resetting Cyber Risk in the Age of AI - CISO Panel at FAIRCON25
Panelists:
Sharon Hagi, CISO, Silicon Labs
Devon Bryan, Global CSO, Booking Holdings
Merritt Baer, CSO, Enkrypt AI
Khalil Jackson, Global Head of Cybersecurity Operations and Defense, Bank of New York
Moderator:
Jared Perlo, AI Reporter, NBC News
Some (of many) takeaways from the discussion:
In FAIR Terms, AI mostly changes frequency, not loss magnitude
LLMs accelerate coding for both attackers and defenders. “Those capabilities lower the threshold for threat actors to find vulnerabilities and exploit them,” Sharon Hagi said. “The frequency of successful attacks is just going to increase.” That heightens the imperative for defenders to automate risk data input and process it in quantitative terms. “We can’t express these risks in terms of high/medium/low” and expect to scale to meet the challenge.
Defensive AI is here but “fully autonomous” security still has a reliability challenge
Devon Bryan gave a detailed look at his organization’s AI-leveraging initiatives “that are really force multipliers for us”: automating phishing detection response, level 1 and 2 SOC triage analysis, automating pentesting, early detection of code vulnerabilities, automating attack surface management outside-in and more. Sharon Hagi seconded that, but added “we have yet to see” a comprehensive security program with agentic AI operating at levels that are “consistent, predictable and accurate to a very high degree.”
FAIRCON26 is coming! Save the date.
In the age of AI cybersecurity, everything old is new again
“I have a somewhat contentious opinion that AI shouldn’t be that new and it shouldn’t be that radical,” Merritt Baer said. “You should have a defensible, attestable, repeatable approach just as you would for any other part of your enterprise…You need tooling that gives you visibility, red teaming, guardrailing, continuous validation and enforcement…You probably do that around your networking and end points…It’s going to be part of the work of a mature security shop.”
AI forces explicit accountability for decisions
Khalil Jackson said “If you're an institution and you're leveraging AI to any degree, you have already passed an inflection point of how you elevate policy and standards…If your executive committee is coming to you and saying we need to use AI, that also means there needs to be accountability and a responsibility on their behalf,” for instance for data, how it is created, for what purpose and who owns it. “It’s about understanding the economics and the sociology of the decisions that are made.”
Join an international community of CISOs and cyber risk leaders - become a member of the FAIR Institute.