GenAI success starts with the right foundation

The importance of building cyber risk management into your GenAI approach

Generative artificial intelligence (GenAI) offers an incredible opportunity for businesses to change the game when it comes to their operations. But if you want to create sustainable value for your organization using GenAI, in addition to enthusiasm, you’ll need a commitment to managing risks you might not be fully aware of or well positioned to control.

Many companies are only beginning to appreciate some of the challenges associated with implementing GenAI. In this year’s Global Digital Trust Insights survey, 39% of companies globally said addressing the difficulty of incorporating with existing systems and processes would be one of their most significant challenges internally on the GenAI front over the next twelve months, while 39% selected lack of trust in GenAI by internal stakeholders and 37% selected inadequate internal controls and risk management. Navigating these challenges and their associated risks can be difficult, but for companies looking to get the most from GenAI, factoring them into your strategy early is critical.

If you’re excited about the possibilities GenAI and want to set your organization up for long-term success, consider taking a proactive approach to your GenAI strategy that considers GenAI governance and cyber risk management from the beginning.

Interest in GenAI is expected to increase in the months and years ahead as companies look to use it to drive new business value. With GenAI tools becoming increasingly accessible, closing the door entirely on the use of GenAI in your organization isn’t realistic, since you’d lose any control or visibility into where or how it’s being used by people choosing to disregard your guidance. This would leave your business exposed to the risks without being able to take advantage of the benefits.

The best defence when it comes to managing GenAI risks is to be proactive. By building trusted avenues and processes for your people to use GenAI, you can reduce the possibility that your people will use GenAI tools in an unapproved way while establishing the internal controls and governance you’ll need to manage risks.

Embracing GenAI can be daunting, but you don’t need to start from scratch. At PwC Canada, we’ve gone through our own GenAI transformation journey and have helped clients do the same. Based on our internal and client experience, here are seven key activities you should consider to reduce risk and better embed GenAI into your cyber risk posture:

• Define how you want to use GenAI: Define your organization’s goals for GenAI so that you can work towards achieving them. Examples include, enhancing productivity (e.g. using GenAI to transform how you work, improving quality), expanding the breadth of data and sources supporting your work and encouraging creativity (e.g.. conversing with AI to gain different perspectives).
• Get your leadership team on the same page: Make sure your leadership team understands the opportunities and risks associated with GenAI —including both operational risks and cyber risks—and that they’ re fully aligned on your company’s overarching GenAI strategy and approach.
• Bring the right team together: Bring together a cross-functional team of business, technology and cyber experts, including your CISO, to guide your GenAI activities. This team should include people who understand your data, in addition to the complexities of your business, your technology stack and your organization’s risk appetite.
• Be agile as you move forward: Take an agile approach to your GenAI activities that encourages you to act on cyber risks as you identify them rather than waiting until the end of a given process.
• Consider your data strategy: Assess your data strategy from a cyber perspective, to enable your business to be set up in a safe and secure way to use GenAI.. This means examining whether you have the right data and data sources, in addition to confirming your data is clean and well labelled and that you have the appropriate rights and data controls in place.
• Consider your technology architecture: Make sure your technology architecture is up to date and that you understand your risks, know your potential risk exposures and have appropriate controls in place. Consider both how your technology is set up today and, as GenAI evolves, how you will manage changes on a going-forward basis.
• Adjust your risk and governance framework: Given that GenAI will change your risk profile, evaluate and update your governance, risk and controls to make that you’re using GenAI responsibly and limiting your risk exposure. As part of this process, consider coverage from both a proactive and reactive perspective so you’re well equipped to respond if a cyber incident happens.

The opportunities presented by GenAI may be exciting, but if your organization has any gaps in your cybersecurity and data environment, embracing GenAI will expose them. Take a proactive approach to defining your GenAI strategy, governance and controls to better position your organization to embrace GenAI successfully while also mitigating potential risks and enabling you to respond effectively should issues arise.

Of course, taking a proactive approach to GenAI shouldn’t stop at the end of your initial transformation journey. With GenAI solutions and tools evolving quick, you’ll need to review and update your approach on a regular basis, continuously monitor for new cyber risks and test your mitigation and response plans to enable your approach to remain sustainable for the long term. 

Whether you’re just starting out on your GenAI journey or looking to drive more value from your GenAI approach, the best time to start is now. With a solid foundation, you’ll be ready to take advantage of all GenAI has to offer in the months and years ahead.