Is artificial intelligence really a double-edged sword?

Artificial Intelligence (AI) has long been hailed as a revolutionary force that will impact all business sectors – and banking is no exception.

“In our Security Operations Centre we ingest more than 13 billion data points every single day to provide us with situational awareness. It is impossible for human beings to monitor that level of activity.”

Some questions often asked are: How will AI affect banks specifically? How will this innovative technology be brought to the manufacture and delivery of financial services products? This topic came up recently when I participated on a panel at the Australian Financial Review’s Cyber Security Summit in Sydney.

People often describe AI as being a double-edged sword – a suitable metaphor capturing its dual capacity for both positive and negative outcomes. The positives needing to be weighed against the potentially negative aspects of the technology.

But rather than describing AI with two edges, I often say it has three edges – a triple-edged sword, if you will.

The positive aspects of the technology are by now well understood – it can make us better and faster at how we conduct tasks. At ANZ this includes how we approach our cyber defense and our defensive operations.

We have automated about 35 per cent of our detect and respond processes, which means our people in the Security Operations Centre are able to pursue other more meaningful tasks. The use of AI helps free them up to complete more strategic, high-value work.

Using AI for this type of work means we have not had to grow our staffing levels at a proportional rate to keep up with the exponential growth in demand. The soaring number of threat events we deal with in the current climate would have otherwise required huge growth in our workforce.

Data deluge

As an example, in our Security Operations Centre we ingest more than 13 billion data points every single day to provide us with situational awareness. It is impossible for human beings to monitor that level of activity, and the cost would be prohibitive. We must utilise AI to help – it is an imperative, not a luxury.

AI can act as a useful back-up while humans are focusing their attention elsewhere. The AI can be searching for anomalies in places the humans aren’t actively monitoring. This is especially important if, for example, a threat actor creates a distraction to mislead security teams.

The second aspect revolves around our strategy to deal with offensive AI. It is not enough to simply defend against more traditional cyber threats. All companies must proactively prepare for potential attacks powered by AI.

How do we better prepare for the types of attacks that may come our way? This requires a deep understanding of how adversaries might use AI to their advantage – something that is changing every day with innovation. Companies can then begin to develop robust defenses to counteract such threats.

We shouldn’t think about the battle against AI-driven cyber threats as being a fight against machines – but rather a strategic effort to outmaneuver adversaries who exploit AI technologies to attack companies or our customers.

Our teams must remain up to date on how AI is being (and could be) used in an offensive manner to attack organisations. This will better inform how we construct our defenses to counter those offensive attacks. This area is constantly evolving given the nature of those offensive attacks continues to change by the day.

Finally, the third part of AI is the adversarial side, focusing on the vulnerabilities within AI systems themselves or how an adversary might attack our AI. Banks must ensure the security of their AI, such as safeguarding it from tampering and data poisoning.

Pillars of trust

It is crucial to develop mechanisms to detect and mitigate any manipulations swiftly. Safeguarding the integrity and reliability of AI systems should ensure they function as intended and remain trustworthy.

This is not just about prevention, it's also about detection and response. As Chief Information Security Officer, I work with colleagues across the bank to jointly develop an AI framework to ensure we've got the right guardrails in place.

Security is just one of many pillars that build a trustworthy framework. We also must make sure we think about other considerations such as legal, ethical, human rights and privacy. All of these elements come together to create a trusted way of using AI. They are not negotiable.

This raises the interesting question of how banks and other companies recruit for this new AI world. People often talk about the cyber security people, the AI people, the data people and the automation people – but why can’t they actually be the same people?

Throughout my career I have actively built my expertise in all these areas, and while not many of us did this 10 years ago, that has changed, and many others are now doing the same. In the meantime, while we build a workforce of multi-skilled people, we need these teams to be much more effectively integrated. All organisations must do a better job bringing these skills together.

The other popular misconception is that we'll roll out AI and we’ll have no need for humans anymore. We all like to talk about the productivity gains from automating – that is a great outcome as I’ve mentioned above. But people don't always think about the productivity loss, which is the flip side of the productivity coin. Who is monitoring, tuning or securing the AI after it goes live?

Despite the exponential growth in the use of AI in recent years, we are still in the early days in relation to how it will change and shape different industries.

Companies must ensure they are set up to benefit from this revolution and have the right mix of skills in their workforces to take advantage of all AI has to offer.

The ‘triple-edged sword’ metaphor shows companies must prioritise using AI for operational efficiency, prepare for AI-driven threats and secure AI systems against adversarial actions.