Industry leaders are stressing the importance of striking the right balance when it comes to regulating artificial intelligence (AI). Sam Altman, CEO of Open AI, recently embarked on a multi-city tour to address public concerns about the risks of AI. During a stop in London, Altman highlighted that while the technology could worsen disinformation, over-regulation could hamper its development. Altman referred to the European Parliament’s AI Act, which is currently being debated, as an example of potential over-regulation. He suggested that the balance lies somewhere between the traditional European-UK approach and the traditional US approach.
However, Altman’s remarks reportedly provoked EU industry chief Thierry Breton, who stated that OpenAI’s ability to comply would not influence lawmakers’ decisions. Altman later walked back his comments on Twitter, stating that his week of conversations in Europe about how to best regulate AI were very productive, and that the company had no plans to leave the region.
Microsoft president Brad Smith has also recently emphasized the importance of balance when it comes to AI. Smith, who predicted back in 2017 that AI would be at the forefront of tech legislation debate in about five years, gathered government officials, members of Congress, and policy experts to unveil his “blueprint for public governance of AI.” Similarly to Altman, Smith stressed that balancing tight tech regulations while not sacrificing public safety is key.
One way to ensure that AI development is appropriately regulated is through improved communication between chief information security officers (CISOs) and their boards. The US Securities and Exchange Commision is proposing new regulations that would require publicly listed companies to disclose which board members are responsible for cybersecurity, how often cybersecurity is reviewed, and how cyber risks are incorporated into the company’s overall risk management strategy. These proposed regulations aim to give CISOs increased responsibility in communicating their companies’ cybersecurity policies to the board and ensuring that board members understand the reasoning behind these strategies.
Forbes recommends that CISOs focus only on the data necessary to help the board understand cybersecurity decisions, rather than overwhelming them with facts and figures. Conducting tabletop exercises can make it easier for the board to visualize the company’s incident response plans. Adding a cybersecurity expert to the board can also serve as a translator for board members on the technical aspects of security strategy.
CISOs have an additional responsibility when it comes to disclosure protocols. The recent sentencing of former Uber CISO Joseph Sullivan highlighted the need for CISOs to fully understand the complex rules of cybersecurity incident disclosure. SolarWinds CISO Tim Brown suggests that a detailed rundown of incident reporting rules, similar to the 2002 Sarbanes-Oxley Act for CFOs, could help CISOs navigate the complicated maze of cyber response rules and deadlines. CISO coordination with legal and communications stakeholders is essential, ensuring that responses are in line with regulations and legal requirements while providing the right stakeholders with the appropriate level of information. Companies must also consider how disclosure deadlines might impact the time it takes to effectively detect and respond to incidents, as Dave Gerry, CEO of Bugcrowd, notes.
Balancing the regulation of AI with technological advancement, as well as ensuring effective communication between CISOs and their boards, are both essential components of cybersecurity strategy.