homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. CISOs Navigating the GenAI Tide: Actionable Insights from SANS Institute
Dan deBeaubien
Dan deBeaubien

CISOs Navigating the GenAI Tide: Actionable Insights from SANS Institute

SANS Institute presents SAP's top five actionable cybersecurity considerations for navigating the GenAI landscape.

June 4, 2024

The adoption of Generative AI (GenAI) is transforming industries, ushering in a new era of innovation and efficiency. However, this technological leap also brings unprecedented cybersecurity challenges. SAP, a global leader in enterprise software, has outlined its approach to GenAI cybersecurity, offering invaluable insights for Chief Information Security Officers (CISOs) and security professionals. Drawing from SAP's strategic document, SANS Institute presents the top five actionable cybersecurity considerations for navigating the GenAI landscape.

1. Adopt a Proactive Security Methodology

SAP's GenAI cybersecurity strategy, grounded in the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF), presents a proactive security methodology that is critical for addressing the challenges of GenAI technologies. This methodology encompasses governance, identification, protection, detection, response, and recovery, laying a comprehensive foundation for integrating GenAI into cybersecurity strategies effectively.

SAP highlights the importance of this approach with its commitment to "depth-in-defense principles extending our ability to identify, protect, detect, respond, and recover." This encapsulates the need for a multilayered defense strategy, acknowledging GenAI's unique vulnerabilities and ensuring mechanisms are in place to counteract potential threats.

Enhancing SAP's methodology with a focus on actionable steps, organizations should:

  • Governance: Establish a governance model that not only oversees the development and deployment of GenAI policies and projects but also ensures compliance with ethical standards and legal requirements. This involves setting up a cross-functional governance board that includes stakeholders from security, legal, IT, and business units to oversee GenAI initiatives. It is critical that organizations quickly establish policies to address these issues.
  • Identification: Develop a comprehensive asset management system that catalogs and classifies data, algorithms, models, and infrastructures involved in GenAI operations. This system should be capable of identifying critical assets and assessing their vulnerability to attacks, thus facilitating a risk-based approach to security. The policy should address asset changes within the organization and ensure transparency when using GenAI.
  • Protection: In addition to traditional cybersecurity measures, protection in GenAI requires implementing AI-specific security practices. These might include securing AI data pipelines, protecting model integrity, and ensuring the confidentiality of AI training data through techniques like federated learning and differential privacy. Developers creating applications and systems should be trained and utilize resources like the OWASP Top10 LLM and the MITRE ATLAS.
  • Detection: Leverage GenAI capabilities to enhance threat detection mechanisms. This could involve using AI-driven analytical tools to identify subtle anomalies in system behavior that might indicate a security breach, thus enabling faster and more accurate detection. Many toolsets involved in threat detection also incorporate AI capability, and we review our systems regularly.
  • Response: Craft GenAI-informed incident response plans that include scenarios involving AI systems as both the target and the tool of cyber attacks. This includes developing procedures for isolating affected systems, conducting forensics on AI models, and restoring services securely.
  • Recovery: Implement strategies for rapid recovery that leverage GenAI technologies to minimize downtime and data loss. This could involve using machine learning models to predict potential failure points and simulate loss and recovery simulations to ensure they are effective and efficient.

This enhanced methodology not only prepares organizations to tackle GenAI-related security challenges but also enables them to leverage GenAI advancements securely and efficiently. Adopting these steps fosters a robust, adaptable security posture that protects against evolving cyber threats while embracing GenAI innovation.

2. Understand and Address GenAI-Specific Risks

SAP's strategy delineates three critical risk categories for GenAI: adoption, vulnerability, and weaponization. These categories underscore the importance of a nuanced approach to GenAI's unique challenges and the complexity that comes with its adoption. As noted, "GenAI technologies are so immensely complex that understanding their operation is an active field of scientific research," which highlights the dynamic nature of these risks and the necessity for continuous learning and adaptation.

To navigate these risks effectively, organizations should:

  • Adoption Risks: Prioritize awareness and training to mitigate human error and ensure responsible use of GenAI. Establish guidelines that delineate safe practices and create a culture of security mindfulness among users and developers.
  • Not all GenAI systems and implementations are equal. Local AI models, cloud API AI solutions, AI databases, and services each have their own data security and privacy practices, policies, and licensing agreements. Study these carefully and understand the implications for data security.
  • Vulnerability Risks: Implement rigorous security protocols for GenAI models, including regular vulnerability assessments and the adoption of secure coding practices. Stay informed about emerging threats specific to GenAI, such as prompt injection attacks or model exploitation.
  • Weaponization Risks: Prepare for the potential misuse of GenAI by adversaries by incorporating threat intelligence into security strategies. This includes understanding how GenAI can be used in phishing attacks, voice and video cloning attacks, malware development, or to enhance the sophistication of cyber threats. Prioritize continuous learning amongst security teams as the threat landscape is evolving rapidly.

For each of these risk categories, a proactive stance—characterized by ongoing education, robust security practices, and an agile response strategy—is essential. By staying ahead of the curve and anticipating how GenAI can be exploited or pose new vulnerabilities, organizations can safeguard their digital assets while harnessing the full potential of this transformative technology.

3. Prioritize Data Security and Integrity

In the realm of GenAI, SAP emphasizes the paramount importance of data security, underpinned by rigorous data classification, labeling, and handling protocols. The inherent complexity of GenAI technologies demands more than traditional security measures, as noted, "Strong access control and monitoring are proven, effective defenses for traditional software. But in the case of GenAI, these approaches alone are insufficient," underscoring the necessity for advanced protections.

Key actions for bolstering data security in GenAI applications include:

  • Enhanced Data Management: Develop comprehensive data governance frameworks that not only categorize and label data but also ensure its integrity throughout its lifecycle. This includes strict controls over data access, usage, and storage, especially for data involved in training GenAI models.
  • Establish User Training: Acceptable GenAI usage needs to incorporate data classification and align with GenAI usage. Acceptable use policies, emerging global legislation, SOC, and ISO requirements need to be considered when putting any protected data into GenAI toolsets, and users need to be trained accordingly.
  • Advanced Monitoring and Access Control: Implement next generation monitoring tools that leverage AI to detect anomalies in data access and usage, providing a proactive stance against unauthorized or malicious activities. Access controls should be dynamic, adapting to the evolving risk landscape specific to GenAI operations.
  • Encryption and Anonymization: Use encryption techniques for data at rest and in transit and anonymize or tokenize sensitive data used in GenAI model training to prevent exposure of identifiable information.

By prioritizing these enhanced security measures, organizations can ensure the confidentiality, integrity, and availability of data central to GenAI technologies, mitigating risks and safeguarding against potential breaches. This approach not only protects sensitive information but also builds trust in GenAI applications by demonstrating a commitment to data security and privacy.

4. Brace for Emerging GenAI Threats

SAP's white paper sheds light on the novel vulnerabilities introduced by GenAI, such as prompt injection, glitch tokens, and AI hallucinations. These unique threats necessitate cutting-edge defensive strategies. Highlighting the potential for misuse, SAP cautions, "Adversaries can take advantage of this trust whether GenAI outputs insecure code, AI hallucinations, or simply bad advice," underlining the urgency for tailored security measures against these specific vulnerabilities.

To effectively counter these emerging threats, organizations should:

  • Robust Validation Processes: Establish rigorous validation protocols for GenAI outputs, ensuring that the generated content, whether code or data, undergoes thorough security checks before deployment or utilization. This includes conducting reviews by subject-matter experts and robust software development life cycle tools.
  • Continuous Security Training: Equip teams with the latest knowledge of GenAI threats through ongoing training and workshops. Understanding the landscape of potential vulnerabilities can empower developers and security professionals to address risks preemptively.
  • Collaborative Threat Intelligence: Engage in threat intelligence sharing platforms to stay informed about the latest GenAI vulnerabilities and attack vectors. Collective knowledge can drive the development of more effective defense mechanisms.

By adopting these strategies, CISOs can prepare their organizations to confront and mitigate GenAI's unique challenges, ensuring that innovation remains a force for growth rather than a vulnerability to be exploited.

5. Leverage GenAI to Strengthen Cybersecurity Defenses:

SAP acknowledges the dual nature of GenAI as both a potential cybersecurity challenge and a significant ally in enhancing security measures. The integration of GenAI into security processes offers innovative avenues for automation, advanced threat detection, and overall enhancement of an organization’s cybersecurity posture. "By leveraging GenAI responsibly and appropriately,” SAP believes, “GenAI can enable new security automation capabilities, reduce risk, and help to improve the overall security posture of SAP and our customers," showcasing GenAI's transformative impact on cybersecurity.

To capitalize on GenAI's potential, it's crucial for organizations to:

  • Embed Automated Security Processes: Consider GenAI-driven technologies to automate routine and complex security tasks, thereby increasing efficiency and allowing cybersecurity teams to concentrate on strategic security planning and incident response.
  • Enhance Threat Detection: Use GenAI’s capacity to process and analyze vast datasets to identify subtle, emerging threats more swiftly and accurately than traditional methods allow. Evaluate and consider implementing AI-driven cyber-threat detection solutions.
  • Refine Risk Management: Apply GenAI tools for dynamic risk assessment, offering real-time insights that enable organizations to swiftly adapt their security strategies in response to new threats. Evaluate the NIST AI Risk Management Framework and consider implementing applicable RMF measures.
  • Cultivate a Culture of Continuous Learning: Establishing a culture that prioritizes ongoing training and education is essential. This ensures that security teams, developers, and all staff remain ahead of the curve in understanding and leveraging GenAI for security and in interpreting and responding effectively to GenAI-generated insights and alerts. Regular training sessions, workshops, and simulations can prepare the workforce to utilize GenAI tools and critically analyze their outputs, fostering a proactive stance towards cybersecurity.
  • Encourage Collaborative Analysis and Interpretation: Promote an organizational culture that values transparent AI use and collective analysis of GenAI results, encouraging teams to question, interpret, and validate AI-generated data and decisions. This collaborative approach ensures a broad spectrum of expertise is applied to understanding the nuances of GenAI outputs, leading to more informed and effective decision-making.

Incorporating GenAI into cybersecurity strategies mitigates associated risks and leverages its vast capabilities to secure digital assets more effectively. By fostering a culture of continuous learning and collaborative analysis, organizations can stay ahead of cyber threats and maximize GenAI's benefits, transforming potential vulnerabilities into formidable cybersecurity strengths.

Moving Forward

SAP's GenAI cybersecurity strategy provides CISOs with a vital framework for managing the complexities of GenAI in cybersecurity, focusing on proactive security methodologies, understanding GenAI-specific risks, and utilizing GenAI to strengthen defenses. However, the cornerstone of this strategy's success is the emphasis on continuous training. As the GenAI landscape evolves, equipping teams with the knowledge to navigate and leverage these advancements becomes crucial. Training ensures that CISOs and their teams are not only prepared to tackle emerging threats but are also proficient in harnessing GenAI's potential to secure the digital future effectively.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Artificial Intelligence (AI)
  • Cybersecurity Leadership

Related Content

Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
LDR - Blog - It’s Dangerous to Go Alone- A Consensus-Driven Approach to SOC Metrics_340 x 340.jpg
Cybersecurity Leadership
April 25, 2025
It’s Dangerous to Go Alone: A Consensus-Driven Approach to SOC Metrics
Metrics play a crucial role in understanding the performance of Security Operations Center (SOC) functions.
Mark-Orlando-370x370.jpg
Mark Orlando
read more
Blog
Cybersecurity Leadership
April 24, 2025
Visual Summary of SANS Cybersecurity Leadership Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Cybersecurity Leadership Summit 2025
No Headshot Available
Emily Blades
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn