Foundation AI Logo

AI in Cybersecurity Policy and Practice: What Security Leaders Need to Know Now

Alie Fordyce

We know—we just posted. And no, we’re not switching to a daily newsletter.

And, when Alie Fordyce, Senior Policy Leader at Cisco Foundation AI, shared this piece on AI’s growing role in cybersecurity policy and operations, it was too timely not to publish. From government guidance to gaps in current defenses, she brings clarity to a fast-moving and often confusing space.

This post also kicks off a new monthly series on AI in cybersecurity policy and practice—designed to help teams keep up with evolving threats, regulations, and best practices without needing a decoder ring.

And yes, we’ll go back to a more reasonable publishing cadence ... probably.

Bottom line: AI may be moving fast, but security leadership can still stay one step ahead—with the right mix of automation, oversight, and openness.

Full post below.

#AI #CyberSecurity #OpenSourceAI #PolicyInsights #FoundationAI #CiscoSecurity #ResponsibleAI

AI has dramatically reshaped cybersecurity, empowering attackers with more sophisticated, scalable, and harder-to-detect threats. As AI automates and enhances malicious capabilities, traditional defenses have struggled to keep pace. To adequately defend against AI-powered threats and navigate the advanced digital battleground, it is becoming essential for organizations to leverage the power of AI themselves in order to stay ahead of novel threats and automate where possible.

In a new monthly series, we will keep you up-to-date on AI in cybersecurity policy and practice insights to help inform a modern approach to cybersecurity that leverages AI. Regularly sourcing cybersecurity policy information from government agencies and reputable thought leaders reveals the following key trends:

  • Cybersecurity practices in need of enhancement and automation: Nearly 80% of threat actor techniques are missed by current SIEM tools, largely due to limited automation in rule development and validation. Enterprise SIEM tools currently have only 21% coverage of the techniques used by adversaries listed in the MITRE ATT&CK framework. This lack of technique coverage is, in part, due to an under-utilization of data; SIEM tools process on average 259 log types and almost 24,000 unique log sources, equating to roughly 90% MITRE ATT&CK coverage, but manual detection engineering practices limit human incidence responders’ ability to process all this data. Leveraging AI fosters automation of much of the detection engineering practices, allowing organizations to keep pace with the rapid development of threats.
  • Automation should automate and scale human responders, not fully replace them: CISA guidance emphasizes that SOAR platforms should augment human response, not fully automate it. A SOAR platform can automate some response actions for defined events and incidents, but it is not a substitute for human incident responders. The critical need for human oversight and decision-making persists and must not be entirely automated away so that security personnel can dedicate their expertise to the most intricate and high-value challenges. Automating systems using AI is a necessity to keep pace with the evolving threat landscape, but it remains critical to make human oversight integral to any cybersecurity protocols.
  • Open source is vital to secure AI development: NSA guidance supports using open source models (e.g. from Hugging Face) to improve transparency, data provenance, and integrity—core elements of resilient AI security practices. Best practices for data security include verifying data sources, tracking data provenance, maintaining data integrity, using trusted infrastructure, and conducting ongoing risk assessments. Open source models provide the necessary visibility and flexibility for security practitioners to implement the recommended best practices and build more resilient AI applications. Openness is a crucial element of cybersecurity: to support data privacy and security, provide practitioners with full control over deployments, and to benefit from community-driven growth.

Bottom Line: To stay ahead of adversaries, cybersecurity operations must embrace automation strategically, maintain human oversight, and leverage open-source tools for transparency and adaptability.