Plaintext: Managing AI Risk is the CISO's Responsibility

Welcome to Dark Reading in Plaintext, brought to your inbox this week by HackerOne. In this issue of Plaintext for the CISO, we look at the focus on AI during last week's Gartner Security & Risk Management Summit. We also highlight a regulatory change from the Securities Exchange Commission about cyber risk management. If you enjoy Plaintext, please share with friends and colleagues!

AI Took Center Stage. At the Gartner Security & Risk Management Summit 2025 (June 9-11) in Washington, D.C., the focus was on emerging technologies such as AI and building resilient security programs. Speakers emphasized that AI is at the forefront of both opportunities and risks for CISOs. It is imperative to understand how to secure AI applications, mitigate AI-driven attacks, and use AI tools for security activities.

Research Distinguished Vice-President Jeremy D'Hoinne discussed how "AI fatigue" has caused some CISOs to fall into what he calls a "neglect phase," where early AI initiatives get sidelined because they didn't quite pan out as expected. But AI adoption will keep growing, and securing these tools will fall squarely onto the CISO's shoulders.

"We must play with AI ourselves to become AI literate so that we can understand exactly how LLMs work and what happens when a user asks a question and discover the many ways and places that the prompt or answer can be tampered with to better understand how to protect our organizations' AI investments," Gartner distinguished vice president analyst Leigh McMullen said during the Summit's opening keynote.

In fact, according to Paul Proctor, Gartner vice-president and distinguished analyst, most organizations are already using some kind of generative AI tool, and that 58% of CISOs are already leading their organization's AI adoption programs. "58% CISOs are leading their organization's AI adoption programs — the CISOs' role is central to the organization's ability to take intelligent risks," Proctor said.

And for all those concerned that AI will replace human security analysts, Gartner says that by 2027, 90% of successful AI implementations in cybersecurity will be tactical, such as task automation and process augmentation, rather than replacement.

"We can also learn when to use which AI techniques and when to not be using AI at all." — Leigh McMullen, Gartner

Dark Reading in Plaintext is brought to you by HackerOne

How Top Companies Are Staying Ahead of AI Risks

See how companies like Snap and Anthropic use red teaming and researcher collaboration to secure GenAI. Download HackerOne’s AI security guide for strategies that strengthen AI with expert insight.

SEC Withdraws Cyber Rule. Continuing the current wave of deregulation, the Securities and Exchange Commission is withdrawing Biden-era rules requiring companies and advisers to develop written policies to address cybersecurity risks and report significant cybersecurity incidents. The rules, originally proposed in 2022 but not yet finalized, would also have required entities to report the last two fiscal years' cyber incidents and risks in a publicly available registration form. The withdrawn rules are separate from the cyber rule that requires organizations to disclose "material" cybersecurity incidents.

Industry groups had lobbied against these rules, arguing that attention spent on regulatory compliance was attention not spent on enterprise defense. In a 2023 statement, Heather Hogsett, senior vice president for BITS at the Bank Policy Institute, wrote, "If not appropriately harmonized, the Commission’s recent cyber proposals could further complicate the already complex cyber regulatory requirements for financial institutions. This would divert attention to compliance matters and away from the important day-to-day work protecting the institution, its customers and investors from well-funded and sophisticated cyber attacks."

What We Are Reading

• [HackerOne] Is Your AI Secure? Use This Checklist to Find Out.
• Brent Stackhouse (WP Engine) on how to future-proof enterprise cybersecurity.
• [DR Global] Business and security executives in India worry over AI, cybersecurity, regulations, and talent gap.
• [The Edge] CISOs explore the mental and physical hardships of their roles in a new docuseries.
• [DR Technology] SecOps Teams can take steps to limit the effects of AI hallucinations on threat detection and response.

Enjoy these links? Subscribe to receive Dark Reading Daily every morning!

What We Heard On-Air

Tune in to our on-demand webinar, Tips on Managing Cloud Security in a Hybrid Environment.

"...the 'one key to rule them all' problem..." —Jake Williams, Hunter Strategy

From Our Library

Check out some of the latest reports from our Dark Reading Library!

• [HackerOne] Inside Anthropic's AI Jailbreak Challenge
• Tech Insight: Automating Security Operations Data Analysis
• Dark Reading Reports: State of Enterprise Incident Response
• Dark Reading Reports: State of Enterprise Application Security
• Tech Insight: EDR, SIEM, SOAR, and More: What's the Right Endpoint Strategy

On That Note

Join us June 18 for our Virtual Event, An Anatomy of a Data Breach: What to Do If It Happens to You. Tune in for keynotes by Fernando Montenegro and Alex Pinto . Check out panels on software vulnerabilities, attacks against cloud services, and incident response after a data breach. If you miss a session, don't worry, you will be able to catch up on-demand. See you June 18!

Dark Reading in Plaintext is brought to you by HackerOne