If you think AI tools alone can take over managing your ISMS, read on. Jenny Odell, the artist, writer and lecturer at Stanford University, once described the concept of context collapse. This is a modern phenomenon where, thanks to the likes of social media, we whittle a speech, a book, or a presentation down to a single phrase or sentence and create an opinion around that phrase or sentence. The problem is, doing this removes the context of the original work and we form our opinion without considering it.
We see this occurring in politics frequently, but you might be wondering why I’m mentioning it in relation to information security audits. Having been an auditor for over a decade and worked as a lead assessor for a certification body for four of those years, I’ve seen several audit reports where the internal or external auditor had given a finding that didn’t take the context of the organisation into account.
Here’s one example: a certification body had given a small organisation a finding for not having a documented org chart. The missing context was that the organisation had just two people working in it … who were married to each other.
Auditing, Accountability and AI
A famous quote attributed to IBM from 1979 that said “a computer can never be held accountable, therefore a computer must never make a management decision”. Given that we are offloading more and more tasks to computers through machine learning and artificial intelligence (AI), at what point do we draw the line and get a human involved?
There is definitely scope for AI to assist in things like anonymised document reviews or intelligence gathering prior to an audit. But I would argue that a human should and must always be involved in the decision making. In the context of audits, this would mean that, at a minimum, the human auditor should conduct the client interviews and review the results of the documents that the AI tool has reviewed (and likely marked up). The human should then come to a decision holistically based on all of that information.
Once I audited an organisation that had attempted to automate its internal audits, but had limited success. The scripts that had been developed were checking for key performance indicators (KPIs) for their control objectives and presenting that to a dashboard along with a multitude of other checks designed to test controls. This may sound efficient, which it was, but it was still missing the links between the controls and the subtleties of human language. Another company had been completing and reporting on annual disaster recovery tests, and had conducted everything according to the schedule with validated results and lessons learned. There was just one issue: the hardware that the client data had been restored onto was housed in an employee’s attic.
Understanding Organisational Objectives
If you were using AI to review an organisation’s information security objectives, how would it know which is better, three objectives or fifty? How could it tell the difference between a well-worded objective that was added as a result of an online search, or a not-so-well worded objective that accurately reflects the risk management aims of the board? Also, how would an AI tool know whether the KPIs, key control indicators (KCIs) or key risk indicators (KRIs) are appropriate to the objectives?
An example of control links would be business continuity scenarios that are critical to the organisation, but aren’t documented in the risk register. If it’s not a risk, then the scenario shouldn’t be tested; but if it is a risk, it should also be in the risk register. Similarly, organisations are required to have documented all current legal, regulatory, contractual and statutory requirements for the jurisdictions they operate in, but knowing the context of these in relation to what the organisation actually does is critical in audit findings. Just because you have an office in the US where HIPAA is enforced doesn’t mean you necessarily have to comply with it. Do you even process health-related data?
Under Pressure: Where AI Helps With Deadlines
There may be times where the auditor is inundated with items to review in a short timeframe. In a previous role I’ve sometimes had four audits for different organisations to complete and report on in five days – then it’s on to the next client and the next report. Each of these audits require pre-reading too. The auditing organisation also has a service level agreement with the auditee, which is usually to have the report sent to them within two weeks of the end of the audit. You just can’t afford to let the reports back up.
As long as the documents being reviewed by the AI model don’t contain any personally identifiable information (PII) or data that’s confidential to the organisation being audited, then there shouldn’t be a problem with conducting a ‘first pass’ with AI; as long as this is followed up by the human auditor reviewing all of the items the AI model has flagged.
In conclusion, there have been dozens of times where I have been auditing an organisation that reasoned it had met the requirements of a certain control in an unorthodox fashion and, after discussion, I have agreed – in most cases.
One example of where AI could have been led astray was when I was reviewing an organisation’s risk register. It had been documented as having been reviewed, so during the audit I inquired who had reviewed it and when. The CISO said they had reviewed it the previous week, which was when it had been dated. Unfortunately the evidence in the risk register showed that the ‘review’ was not that thorough! There were due dates dating back five years, risks relating to physical buildings the organisation hadn’t leased for three years, and risks for software that it didn’t use for a number of years. This was a clasic example of a major non-conformity.
Another example was when I was going through a ‘reviewed’ risk register during an audit, but something just didn’t look right. Then I realised that one of the risks had an inherent risk that was lower than the residual risk. I asked why the client had implemented controls to mitigate a risk when those very controls had increased the risk. It was only then they realised that the formula in the spreadsheet was incorrect. The client fixed the issue there and then, but when I inquired who had reviewed the risk register, they admitted that the Board of Directors had reviewed and approved it the previous week. Maybe I should write a blog post entitled, When is a review not a review?
Yes, humans make mistakes, some of which a computer can find. Would an AI agent have found these two examples? Possibly. Should AI take over this role? AI could not, and in my opinion should not, completely take this role of conducting audits. If you’re looking for a ‘cookie cutter’ audit report with no insight and no context, then by all means have AI systems review your anonymised documents. But if you’re looking for a review of your risk management implementation and mitigations across your estate to highlight potential gaps, then you can’t beat human insight.
Eoin O’Beara is a senior cybersecurity consultant with BH Consulting
