We recently hosted two experts dealing with GenAI Security and esteemed customers of Prompt Security: Richard Moore, Director of Security at 10x Banking, and Dave Perry, Manager of Digital Workspace Operations at St. Joseph's Healthcare Hamilton.
In this short blog post we gather some of their key insights when dealing with the safe and secure enablement of Generative AI (GenAI) in the organization, with a focus on the hypersensitivity of the data they're dealing with given the highly regulated nature of Financial Services and Healthcare.
…
GenAI Security Insights From InfoSec Leaders in Highly Regulated Industries: FinServ and Healthcare Spotlight
In heavily regulated industries like finance and healthcare, taking full advantage of GenAI can feel like balancing on a tightrope.
We asked enterprise security heads for their top insights on how to lead secure GenAI innovation. Here are their top recommendations.
#1: Swimming upstream is a fool’s errand
Richard Moore, Director of Security at the cloud-native core banking platform 10x Banking, does not believe in blanket blocks on GenAI. “It’s here whether one likes it or not,” he told us. “GenAI is embedded in so many systems, in so many tools. Enterprises should focus on controlling it properly.”
With GenAI becoming more of a commodity, blocking it is akin to trying to block the internet in the 1990s: a death sentence for business. Blocking it may also be somewhat futile; for every tool you block, several new ones will pop up. It becomes an ever-worsening game of Whac-A-Mole.
Moore stresses the need for case-specific considerations of GenAI. “What are the risks we care about and what is our tolerance for each? This tool and not that tool. Allow this information through and not this information.”
Such considerations characterize a proactive and engaging approach to enterprise GenAI.
“A big risk for us in core banking is that our intellectual property makes its way into someone’s training set. Our tolerance for this risk is very low, so we sought enterprise agreements with AI tools to reduce the risk.” Richard Moore, Director of Security, 10x Banking
#2: Be collaborative and comprehensive
Dave Perry manages digital workspace operations at St. Joseph's Healthcare, an academic research hospital in southern Ontario. He and his IT team took a collaborative approach to GenAI governance. Alongside engineering professors and students at McMaster University, they developed a living GenAI protocol – ‘living’ because the technology and acceptable risk will change.
“With GenAI growing in our personal and professional lives, it is key to standardize as early as possible,” he said. “Guide members of your organization to where you want them to be. If you don’t, they are going to try to guide themselves, which means less or no organizational control.”
With more GenAI tools at people's fingertips, it’s no wonder Perry wants to standardize, educate, and enforce governance at the firewall level.
“In healthcare, we are all custodians of important data, so we need to take GenAI seriously. It's being embedded in more and more systems and can be hacked and manipulated, so we need to be vigilant.” Dave Perry, Digital Workspace Operations Manager, St. Joseph's Healthcare
#3: Apply principles judiciously
Moore and Perry think it's important to build on solid guiding principles like the OWASP Top 10 for LLMs. However, they both underscore that not all principles apply in all contexts.
Frameworks are not ‘one size fits all.’ Each organization must tune them for its specific purposes. This means working with one’s IT team to understand contexts and apply principles in a suitable manner.
They also emphasize how Prompt Security is especially helpful in this regard.
Perry told Prompt Security that its solution allows St. Joseph's Healthcare to work backward on governance. “Prompt Security clarifies what is happening and expands the range of what we can do. This lets us tailor our GenAI governance to known circumstances and abilities.”
Meanwhile, Moore sees Prompt Security enabling 10x Banking to take a big leap forward. “Before, we lacked fine-grade control, which is where a specialist solution becomes much more effective,” he told us. “With Prompt Security, we can create solid guardrails around the GenAI usage that brings the most positive impact.”
