In Security, ‘There’s Two Sides to AI,’ Box CISO Says

AI can be a double-edged sword in security. That doesn’t mean you shouldn’t leverage it. 

While the technology has created a new set of risks, it also has the capacity to strengthen the weakest link in security: humans, Heather Ceylan, chief information security officer at cloud storage company Box, told CIO Upside. 

“There’s two sides to AI,” said Ceylan. “It’s great from a security perspective, because it brings us so many new opportunities that maybe didn’t even exist before. But it also brings about a new set of risks.” 

It’s no secret that AI has turned the threat landscape on its head, Ceylan said:

• The tech has given bad actors a far wider arsenal of tools to work with to discover and exploit vulnerabilities. Plus, the users leveraging AI without understanding the risk that models can easily be reverse-engineered to spill the beans creates a wider attack surface for hackers to leverage.
• The risks become even more pronounced in the age of AI agents, said Ceylan, which can create vulnerabilities as they act on our behalf “with varying degrees of independence.” Additionally, “adversary-controlled agents” present a threat, she noted.

The biggest vulnerability in an organization, however, is always going to be personnel, Ceylan said: “The number one cause of breaches today still is the human element.” Ceylan, who began her role at Box in May, was previously the deputy CISO at Zoom, shepherding the company through the security challenge of its skyrocketing popularity early in the pandemic. 

The company’s “overnight” pivot from B2B to B2C forced her to quickly rethink its approach to security: “Before you had IT admin setting the security controls of the software, and now you have grandma that you’re Zooming with.” 

That lesson in adaptability has allowed her to understand and regulate the risk that humans play in creating vulnerabilities in her role at Box, finding a balance between the good, bad and the ugly of AI. Examples might include  offering training on how to use AI safely or implementing “real-time” agents that monitor cyber-safety practices in your workforce’s day-to-day. 

In more advanced cases, she said, agents may execute actions for security teams or perform design reviews to check for vulnerabilities in products prior to releases, while keeping a human in the loop for “sensitive actions, she said.  

For enterprises struggling with their security posture in the face of AI, ignoring the tech isn’t an option, but you “can’t let it distract you from the basics” like consistent patch management, identity controls and risk monitoring, Ceylan said. 

“AI amplifies both capabilities and risks,” said Ceylan. “But if you have the right defense posture, you’re combining identity controls, data governance, observability, human oversight … you shouldn’t let the risks slow you down. You just have to manage them as you always have been.”