Information security is not a new concept and has existed since the need for securing data. The foundation of information security was established in the 1960s with the introduction of packet switching. Over time, there was the proliferation of computer viruses, computer networks expanded, secure methods for transacting business over the internet were developed, the growth of the internet, the rise of computer hacking and cybercrime, cloud computing, and emerging technologies, such as quantum computing and artificial intelligence (AI).
These major milestones created an ongoing and adaptive need for information security. In response, professional organizations developed cybersecurity certifications to guide cybersecurity personnel with practicing and implementing effective information security in their organizations.
ISACA’s Certified Information Security Manager (CISM) was created to assist information security managers in aligning information security with business objectives, safeguarding company assets and managing cybersecurity risks. Although the CISM’s domain for Information Security Risk Management includes emerging technologies, AI has accelerated in recent years to require information security managers to acquire additional layers of knowledge and expertise. To fill this gap, ISACA recently put forward the Advanced in AI Security Management (AAISM) certification.
Managing risks and securing AI share common elements with traditional information security. Traditional information security focuses on confidentiality, integrity and availability. These principles also apply to AI. However, there are differences. The AAISM will focus on areas specific to AI, such as adaptivity, trustworthiness, societal impacts, bias, privacy risks and maintenance.
With traditional information security, integrity controls prevent unauthorized changes to data. However, data used for AI is inherently adaptive and changes over time, as the underlying algorithms continuously learn and adapt. These risks need to be understood to ensure they are effectively addressed during the development, adoption and ongoing management of AI systems. AAISM, attainable for those who have earned a CISM or CISSP credential, provides guidance to mitigate this specific risk.
Societal trust of systems is partially addressed in traditional information security, such as preventing harm to humans and maintaining data integrity. These are crucial to AI systems’ capacity to draw from various data sources, which may contain bias. Such bias can be perpetuated, resulting in untrustworthy outputs that may lead to uninformed or biased decisions. Therefore, it is essential to implement safeguards for AI systems to ensure the system’s trustworthiness.
Privacy is a fundamental principle of information security and AI. However, privacy risks differ from those in traditional information security due to AI’s capacity to learn from human interactions and disseminate the information to other systems. We exist in a connected information society characterized by interlinked networks and systems. Given the pervasive nature of AI systems, it is essential to have the ability to implement robust controls to ensure the confidentiality of these systems.
In traditional information security, maintenance typically involves system patching, addressing end-user needs and implementing system enhancements. In the context of AI systems, maintenance takes on an additional dimension due to the system’s capacity to evolve and learn. While a governance framework is essential to keep AI within established guardrails, algorithms must be regularly verified, performance metrics should be defined, established, and monitored, and data sets need to be verified. Without these measures, the AI system may degrade over time. AAISM will guide professionals in ensuring that effective maintenance practices are in place.
AAISM also will augment an information security manager’s knowledge of protecting AI systems because it focuses on governance for AI systems, secure development of AI systems, risk management specific to AI systems, and AI technologies and data management controls. In addition, an information security manager will be in a much better position to integrate AI governance and controls with existing frameworks in place for traditional information security. Therefore, the next logical step for CISMs is the AAISM.
Traditional information security and security for AI share commonalities as well as key differences, such as emphasis on trustworthiness, privacy, bias and maintenance. As AI continues to experience rapid growth, professionals must understand the unique risks associated with this emerging technology. ISACA’s AAISM credential is designed to address these growing needs and represents a natural progression from the CISM certification.
