I just spent the last several days with HP and their Wolf Security Group, and they scared the hell out of me. They now have hard evidence that AI’s use in creating malware has pivoted from test of concepts to actual attacks. While the frequency of these AI-based attacks is still relatively low because a minority of coders know how to use AI today, that is changing very rapidly, and you don’t really need to be a coder to use AI to code.
One of the demonstrations was how you could use AI to decompile a secure application and then scan the result to find the password that the user used to access it. The entire process took between 5 and 10 minutes where typically you might work on something like this for days and use phishing rather than AI to get that same password. Oh, and AI is also increasingly used for phishing, suggesting companies will also need to increase and improve their employee security training.
We used to have a huge problem with kids creating viruses in their parents’ basements which largely went away as security tools advanced, but this AI capability will make it so kids can again create malware at scale. The amount of malware we are likely to see should not only be impressively large in 2025, but it is also expected to continue to accelerate through the rest of this decade and beyond if we can’t get better at going after and punishing those that create it.
The Purchasing Problem
When it comes to assuring the RFQ/RFP and review process so that it can properly identify vendor solutions that adequately address this kind of problem, it is critical that each platform reviewed be fully assessed as to how capable it is. And the group that should do this assessment should, but generally doesn’t, report to the company’s Chief Security Officer (CSO).
As a result, the capabilities aren’t fully assessed, leading the firm to select poorly secured offerings that the vendor might have promised were secure enough but aren’t. I ran into this years ago when I was an Internal Auditor In Charge at IBM. When I reviewed bids, I’d often find vendors who claimed their products were compliant with the specified requirements but were not. In fact, when I reviewed IBM’s own bids back then, I found a number of responses that promised products that not only didn’t exist, but where the requisite development effort had been cancelled so it wouldn’t just be late, it would never exist.
With the wave of AI-driven and potentially quantum computing-based attacks coming soon, it is increasingly critical that all security products and products that have required security features are validated as actually having those features before the quote or proposal is accepted. Vendors that lie on the related responses should be punished for doing so.
Purchasing Isn’t Equipped or Staffed to Do This
Generally, purchasing just takes requirements, puts them into the request and then relies on the vendor to be honest with their response. While this is a really bad practice in general, when it comes to security offerings, this could be a company-ending decision. If things go badly, pretty much everyone in the decision tree will be at risk.
Bid and proposal compliance shouldn’t be done by purchasing but by the requisite specialty in the company. For security, this is the Chief Security Officer’s (CSO’s) area of specialty. This brings us to problem number two, which is that most CSOs aren’t staffed, nor do they have the requisite authority to do or assure this role. This is like going into a risky medical operation and only having people that know nothing about it in decision-making roles. This is going to end very badly if it isn’t fixed because too many products are being selected that either don’t do the job adequately or at all. While there is no doubt that vendors who misrepresent their security capabilities can be sued, that is little comfort if the company is shut down because of an event. Heads are going to roll.
Wrapping Up:
Companies need to take a hard look at their purchasing process and spin up organizations like Security and Internal Audit to assure that winning bids are not just based on lowest cost but on their ability to do what the company needs done.
If this process failure isn’t corrected, I expect we are going to see increased breaches as more and more AI-created malware is able to bypass the protections companies falsely think they have.
