A CISO's Blueprint for AI Security (From ML to GenAI)

Is the current AI hype cycle different from the ones that failed before? How do you build a security program for technology that can't give the same answer twice? This episode features a deep-dive conversation with Damian Hasse, CISO of Moveworks and a security veteran from Amazon's Alexa team, VMware, and Microsoft.

Damian provides a practical blueprint for securing both traditional Machine Learning (ML) and modern Generative AI (GenAI). We discuss the common pitfalls of newly formed AI Councils, where members may lack the necessary ML background to make informed decisions. He shares his framework for assessing AI risk by focusing on the specific use case, the data involved, and building a multi-layered defense against threats like prompt injection and data leakage.

This is an essential guide for any security leader or practitioner tasked with navigating the complexities of AI security, from protecting intellectual property in AI-assisted coding to implementing safeguards for enterprise chatbots.

Questions asked:

(00:00) Introduction(02:31) Who is Damian Hasse? CISO at Moveworks(04:00) AI Security: The Difference Between the Pre-GPT and Post-GPT Eras(06:00) The Problem with New AI Councils Lacking ML Expertise(07:50) A History of AI: The Hype Cycles and Winters Since the 1950s(16:20) Is This AI Hype Cycle Different? The Power of Accessibility(20:25) Securing AI-Assisted Coding: IP Risks, Data Leakage, and Poisoned Models(23:30) The Threat of Indirect Prompt Injection in Open Source Packages(26:20) Are You Asking Your AI the Right Questions? The Power of "What Am I Missing?"(40:20) A CISO's Framework for Securing New AI Features(44:30) Building Practical Safeguards for Enterprise Chatbots(47:25) The Biggest Challenge in Real-Time AI Security: Performance(50:00) Why Access Control in AI is a Deterministic Problem

Resources spoken about during the interview

Tracing the thoughts of a large language model