Most industry analysts expect organizations will accelerate efforts to harness generative artificial intelligence (GenAI) and large language models (LLMs) in a variety of use cases over the next year. Typical examples include customer support, fraud detection, content creation, data analytics, knowledge management, and, increasingly, software development. A recent survey of 1,700 IT professionals conducted by Centient on behalf of OutSystems had 81% of respondents describing their organizations as currently using GenAI to assist with coding and software development. Nearly three-quarters (74%) plan on building 10 or more apps over the next 12 months using AI-powered development approaches. While such use cases promise to deliver significant efficiency and productivity gains for organizations, they also introduce new privacy, governance, and security risks. Here are six AI-related security issues that industry experts say IT and security leaders should pay attention to in the next 12 months. AI Coding Assistants Will Go Mainstream — and So Will Risks Use of AI-based coding assistants, such as GitHub Copilot, Amazon CodeWhisperer, and OpenAI Codex, will go from experimental and early adopter status to mainstream, especially among startup organizations. The touted upsides of such tools include improved developer productivity, automation of repetitive tasks, error reduction, and faster development times. However, as with all new technologies, there are some downsides as well. From a security standpoint these include auto-coding responses like vulnerable code, data exposure, and propagation of insecure coding practices. “While AI-based code assistants undoubtedly offer strong benefits when it comes to auto-complete, code generation, re-use, and making coding more accessible to a non-engineering audience, it is not without risks,” says Derek Holt, CEO of Digital.ai. The biggest is the fact that the AI models are only as good as the code they are trained on. Early users saw coding errors, security anti-patterns, and code sprawl while using AI coding assistants for development, Holt says. “Enterprises users will continue to be required to scan for known vulnerabilities with [Dynamic Application Security Testing, or DAST; and Static Application Security Testing, or SAST] and harden code against reverse-engineering attempts to ensure negative impacts are limited and productivity gains are driving expect benefits.” AI to Accelerate Adoption of xOps Practices As more organizations work to embed AI capabilities into their software, expect to see DevSecOps, DataOps, and ModelOps — or the practice of managing and monitoring AI models in production — converge into a broader, all-encompassing xOps management approach, Holt says. The push to AI-enabled software is increasingly blurring the lines between traditional declarative apps that follow predefined rules to achieve specific outcomes, and LLMs and GenAI apps that dynamically generate responses based on patterns learned from training data sets, Holt says. The trend will put new pressures on operations, support, and QA teams, and drive adoption of xOps, he notes. “xOps is an emerging term that outlines the DevOps requirements when creating applications that leverage in-house or open source models trained on enterprise proprietary data,” he says. “This new approach recognizes that when delivering mobile or web applications that leverage AI models, there is a requirement to integrate and synchronize traditional DevSecOps processes with that of DataOps, MLOps, and ModelOps into an integrated end-to-end life cycle.” Holt perceives this emerging set of best practices will become hyper-critical for companies to ensure quality, secure, and supportable AI-enhanced applications. Shadow AI: A Bigger Security Headache The easy availability of a wide and rapidly growing range of GenAI tools has fueled unauthorized use of the technologies at many organizations and spawned a new set of challenges for already overburdened security teams. One example is the rapidly proliferating — and often unmanaged — use of AI chatbots among workers for a variety of purposes. The trend has heightened concerns about the inadvertent exposure of sensitive data at many organizations. Security teams can expect to see a spike in the unsanctioned use of such tools in the coming year, predicts Nicole Carignan, vice president of strategic cyber AI at Darktrace. “We will see an explosion of tools that use AI and generative AI within enterprises and on devices used by employees,” leading to a rise in shadow AI, Carignan says. “If unchecked, this raises serious questions and concerns about data loss prevention as well as compliance concerns as new regulations like the EU AI Act start to take effect,” she says. Carignan expects that chief information officers (CIOs) and chief information security officers (CISOs) will come under increasing pressure to implement capabilities for detecting, tracking, and rooting out unsanctioned use of AI tools in their environment. AI Will Augment, Not Replace, Human Skills AI excels at processing massive volumes of threat data and identifying patterns in that data. But for some time at least, it remains at best an augmentation tool that is adept at handling repetitive tasks and enabling automation of basic threat detection functions. The most successful security programs over the next year will continue to be ones that combine AI’s processing power with human creativity, according to Stephen Kowski, field CTO at SlashNext Email Security+. Many organizations will continue to require human expertise to identify and respond to real-world attacks that evolve beyond the historical patterns that AI systems use. Effective threat hunting will continue to depend on human intuition and skills to spot subtle anomalies and connect seemingly unrelated indicators, he says. “The key is achieving the right balance where AI handles high-volume routine detection while skilled analysts investigate novel attack patterns and determine strategic responses.” AI’s ability to rapidly analyze large datasets will heighten the need for cybersecurity workers to sharpen their data analytics skills, adds Julian Davies, vice president of advanced services at Bugcrowd. “The ability to interpret AI-generated insights will be essential for detecting anomalies, predicting threats, and enhancing overall security measures.” Prompt engineering skills are going to be increasingly useful as well for organizations seeking to derive maximum value from their AI investments, he adds. Attackers Will Leverage AI to Exploit Open Source Vulns Venky Raju, field CTO at ColorTokens, expects threat actors will leverage AI tools to exploit vulnerabilities and automatically generate exploit code in open

By Matthew Perlman ( January 9, 2025, 6:48 PM EST) — The U.S. Department of Justice has asked the Ninth Circuit for permission to appear at oral arguments in an appeal looking to revive antitrust claims from a defunct brokerage platform against Zillow and the National Association of Realtors…. Law360 is on it, so you are, too. A Law360 subscription puts you at the center of fast-moving legal issues, trends and developments so you can act with speed and confidence. Over 200 articles are published daily across more than 60 topics, industries, practice areas and jurisdictions. A Law360 subscription includes features such as Daily newsletters Expert analysis Mobile app Advanced search Judge information Real-time alerts 450K+ searchable archived articles And more! Experience Law360 today with a free 7-day trial. source

As my family’s “CFO,” I meticulously scanned my utility bills late one night. As I went through them, line by line, I was confused and frustrated – I couldn’t understand the jump in costs and what was driving them. It was a confusing mix of kilowatt hours, supply and transmission costs, and local fees. I’m seeing a very similar phenomenon with cloud spending. My day job at IBM is creating automation solutions to help solve organizations’ efficiency and observability issues in the IT industry. As a foundation for today’s digital transformation, cloud and hybrid cloud technologies offer many benefits, from cost savings to flexibility, security, and automatic software updates; yet, all the benefits come with various costs that can be difficult to measure and manage. What makes cloud spending difficult? The hard part about cloud spending is that it’s too complex to fully understand how much cloud costs will be. Surface-level cloud spending is fairly easy to track, but when it gets down to things like Kubernetes workloads – how software is deployed, scaled, and managed in and across clouds – AI model inferencing and provisioning, cost projections are extremely difficult and often wildly inaccurate because there are too many gaps not being accounted for. Some gaps are the size of canyons, and others are hard to spot. Remember, this isn’t the pinnacle of cloud complexity either; it will only worsen. Think of this situation in the spirit of getting AI initiatives off the ground. Organizations tend to be okay with initial high associated cloud costs to create more revenue and profit; however, that way of spending isn’t sustainable. FREE DOWNLOAD: 5 Tips for Controlling Your IT Budget (TechRepublic Premium) What is FinOps, and how can it help manage cloud spending? Managing cloud costs is so significant that the IT industry created a practice to manage it. FinOps, as it’s known in my industry, is an operational framework for managing cloud costs from engineering to operations. In fact, according to Civo’s The Cost of Cloud Report 2024, 60% of organizations saw cloud spending increase this past year, and 40% of those said costs rose by more than 25%. If you bring in the larger macro-factors of companies cutting resources for efficiency, inflationary price increases, and new technology spending, CFOs need more support and visibility. Must-read CXO coverage How can partnering with CIOs and using automation help CFOs tackle cloud costs? CIOs can help their CFO colleagues by adopting FinOps practices powered by AI technologies that reduce the burden of tracking, tagging, and constantly chasing your operations team to understand how budgets are being spent, bringing real-time visibility and decision support to your fingertips. The cloud operates in real-time, but it can be predictable and forecasted in a way that improves visibility and automates resource management, observability, and cost transparency. SEE: How AI Is Changing the Cloud Security and Risk Equation (TechRepublic) Automation can save by over-provisioning CPUs/GPUs, memory, and storage. It can help observe application health and proactively remediate issues. Automation also can provide a holistic and granular breakdown of how cloud costs are racking up. Partnering with CIO peers and implementing automation solutions can help get a CFO off the hot seat. CFOs need to be able to manage budget expectations while keeping the business on track with innovation and spending. CFOs, CIOs, engineers, DevOps, and cloud/AI team leads must tackle this problem together. The synergy of aligning business and financial outcomes will allow spending to shrink and maximize its potential simultaneously. A good FinOps posture means everyone has equal visibility and accountability in spending. DOWNLOAD: Year-Round IT Budget Template (TechRepublic Premium) Is investing in a FinOps automation solution worth it? Yes. The extra initial cost of buying a FinOps automation solution will pay for itself in less than two years – I bet it could happen in 12 months. Implementation of a a FinOps automation solution is critical. Get it done right from the start – maximize the connectivity, efficiencies, and collaboration – and watch the cloud spending and your CFO’s stress melt away. Some old financial advice has never been more prevalent than now: Live within your means. Bills shouldn’t surprise you or make you sweat, and CFOs shouldn’t pay the price for your overspending. Bill Lobig, vice president, Product Management, IBM IT Automation. Image: IBM Bill Lobig is responsible for IBM IT Automation Software Product Management. This includes a range of technologies allowing people and organizations to optimize their technology spend and ensure the health and performance of applications. Bill has been in the enterprise software space for over 25 years holding various roles in engineering & product management ranging from unstructured data/content management, information life cycle governance, business process management, machine learning & AI, and Application Modernization, FinOps, and IT Operations. Bill graduated Summa Cum Laude from the University of Maryland College Park. source

By Elizabeth Daley ( January 10, 2025, 6:13 PM EST) — An Oklahoma grocery store’s insurer shouldn’t have to cover litigation brought by the family of a man who died while performing electrical work because he was unlicensed and because the store, when obtaining its policy, said it didn’t hire independent contractors, the insurer told a federal court…. Law360 is on it, so you are, too. A Law360 subscription puts you at the center of fast-moving legal issues, trends and developments so you can act with speed and confidence. Over 200 articles are published daily across more than 60 topics, industries, practice areas and jurisdictions. A Law360 subscription includes features such as Daily newsletters Expert analysis Mobile app Advanced search Judge information Real-time alerts 450K+ searchable archived articles And more! Experience Law360 today with a free 7-day trial. source

From marketing service provider to CRM marketing services … what’s in a name? An evolution and some confusion. More agencies are going to market with “CRM services,” which also spans Salesforce consulting partners to contact-center outsourcers. My new report, CRM Marketing Services Evolve To Meet Changing B2C Marketer Needs, examines what CRM marketing services entail — data, insights, and technology — and what marketers need to know. Not Your Mother’s MSP Think of CRM marketing services as an evolution of marketing service providers (MSPs). MSPs used third-party data partners and/or proprietary data to build propensity models and audiences for direct mail campaigns, driving retention and engagement through email marketing. Modern CRM marketing services take these legacy capabilities to a new level by crossing the entire customer lifecycle. Rather than a focus on acquisition and retention, CRM marketing services have also built or acquired new capabilities such as commerce services and digital experience delivery. As a result, they can address every stage of the customer lifecycle:   CRM marketing services offer an intriguing solution to address challenges that have nagged B2C marketers for years: how to meaningfully tie customer data to marketing activation. To succeed, marketers need to examine how they’re defining CRM, which will directly impact the scope of CRM marketing services. Think about the customer data flows, channels, and technologies that need to work together to deliver data-driven marketing; chances are that they’re much broader than one tool. And given the breadth of services under the CRM marketing services umbrella, this may even include paid media and loyalty program management. Check out the new report here: CRM Marketing Services Evolve To Meet Changing B2C Marketer Needs. Set up a guidance session to understand how CRM can help meet your marketing goals, and stay tuned for a landscape report coming later this year. source

GenAI is everywhere — available as a standalone tool, proprietary LLMs or embedded in applications. Since everyone can easily access it, it also presents security and privacy risks, so CISOs are doing what they can to stay up on it while protecting their companies with policies.  “As a CISO who has to approve an organization’s usage of GenAI, I need to have a centralized governance framework in place,” says Sammy Basu CEO & founder of cybersecurity solution provider Careful Security. “We need to educate employees about what information they can enter into AI tools, and they should refrain from uploading client confidential or restricted information because we don’t have clarity on where the data may land up.”  Specifically, Basu created security policies and simple AI dos and don’ts addressing AI usage for Careful Security clients. As is typical these days, people are uploading information into AI models to stay competitive. However, Basu says a regular user would need security gateways built into their AI tools to identify and redact sensitive information. In addition, GenAI IP laws are ambiguous, so it’s not always clear who owns the copyright of AI generated content that has been altered by a human.  From Cautious Curiosity to Risk-Aware Adoption  Related:What Could Less Regulation Mean for AI? Ed Gaudet, CEO and founder of healthcare risk management solution provider Censinet says over the years as a user and as a CISO, his GenAI experience has transitioned from cautious curiosity to a more structured, risk-aware adoption of GenAI capabilities.   “It is undeniable that GenAI opens a vast array of opportunities, though careful planning and continuous learning remain critical to contain the risks that it brings,” says Gaudet. “I was initially cautious about GenAI at the start because of the privacy of data, IP protection and misuse. Early versions of GenAI tools, for instance, highlighted how input data was stored or used for further training. But as the technology has improved and providers have put better safeguards in place — opt-out data and secure APIs — I have come to see what it can do when used responsibly.”  Gaudet believes sensitive or proprietary data should never be input into GenAI systems, such as OpenAI or proprietary LLMs. He has also made it mandatory for teams to use only vetted and authorized tools, preferably those that run on secure, on-premises environments to reduce data exposure.   Ed Gaudet, Censinet “One of the significant challenges has been educating non-technical teams on these policies,” says Gaudet. “GenAI is considered a ‘black box’ solution by many users, and they do not always understand all the potential risks associated with data leaks or the creation of misinformation.”   Related:AI-Driven Quality Assurance: Why Everyone Gets It Wrong Patricia Thaine, co-founder and CEO at data privacy solution provider Private AI, says curating data for machine learning is complicated enough without having to additionally think about access controls, purpose limitation, and the security of personal and confidential company information going to third parties.   “This was never going to be an easy task, no matter when it happened,” says Thaine. “The success of this gargantuan endeavor depends almost entirely on whether organizations can maintain trust with proper AI governance in place and whether we have finally understood just how fundamentally important meticulous data curation and quality annotations are, regardless of how large a model we throw at a task.”  The Risks Can Outweigh the Benefits  More workers are using GenAI for brainstorming, generating content, writing code, research, and analysis. While it has the potential to provide valuable contributions to various workflows as it matures, too much can go wrong without the proper safeguards.  “As a [CISO], I view this technology as presenting more risks than benefits without proper safeguards,” says Harold Rivas, CISO at global cybersecurity company Trellix. “Several companies have poorly adopted the technology in the hopes of promoting their products as innovative, but the technology itself has continued to impress me with its staggeringly rapid evolution.”  Related:6 AI-Related Security Trends to Watch in 2025 However, hallucinations can get in the way. Rivas recommends conducting experiments in controlled environments and implementing guardrails for GenAI adoption. Without them, companies can fall victim to high-profile cyber incidents like they did when first adopting cloud.  Dev Nag, CEO of support automation company QueryPal, says he had initial, well-founded concerns around data privacy and control, but the landscape has matured significantly in the past year.   “The emergence of edge AI solutions, on-device inference capabilities, and private LLM deployments has fundamentally changed our risk calculation. Where we once had to choose between functionality and data privacy, we can now deploy models that never send sensitive data outside our control boundary,” says Nag. “We’re running quantized open-source models within our own infrastructure, which gives us both predictable performance and complete data sovereignty.”  The standards landscape has also evolved. The release of NIST’s AI Risk Management Framework and concrete guidance from major cloud providers on AI governance, provide clear frameworks to audit against.   “We’ve implemented these controls within our existing security architecture, treating AI much like any other data-processing capability that requires appropriate safeguards. From a practical standpoint, we’re now running different AI workloads based on data sensitivity,” says Nag. “Public-facing functions might leverage cloud APIs with appropriate controls, while sensitive data processing happens exclusively on private infrastructure using our own models. This tiered approach lets us maximize utility while maintaining strict control over sensitive data.”  Dev Nag, QueryPal The rise of enterprise-grade AI platforms with SOC 2 compliance, private instances and no data retention policies has also expanded QueryPal’s options for semi-sensitive workloads.   “When combined with proper data classification and access controls, these platforms can be safely integrated into many business processes. That said, we maintain rigorous monitoring and access controls around all AI systems,” says Nag. “We treat model inputs and outputs as sensitive data streams that need to be tracked, logged and audited. Our incident response procedures specifically account for AI-related data exposure scenarios, and we regularly test these procedures.”  GenAI Is Improving

Health care organizations may soon be subject to new cybersecurity rules. The US Department of Health and Human Services (HHS) is proposing an update to the HIPAA Security Rule that would require covered health care entities to bolster their cybersecurity posture.   The proposed change comes as breaches continue to wreak havoc in the health care industry. From 2009 to 2023, health care organizations reported 5,887 data breaches involving 500 or more records to the Office for Civil Rights (OCR), according to The HIPAA Journal. A total of 667 health care data breaches occurred in 2024.   Melanie Fontes Rainer, OCR director, pointed to the ransomware attack on Change Healthcare  as an example of how these breaches are growing and impacting more people.   “This proposed rule to upgrade the HIPAA Security Rule addresses current and future cybersecurity threats. It would require updates to existing cybersecurity safeguards to reflect advances in technology and cybersecurity, and help ensure that doctors, health plans, and others providing health care meet their obligations to protect the security of individuals’ protected health information across the nation,” Fontes Rainer said in the HHS press release.   Proposed Rule  The HIPAA Security Rule, published in 2003, has not been updated since 2013, according to HHS. Covered entities handling electronic protected health information (ePHI) — including health care providers, health plans, health care clearinghouses, and business associates — would need to adhere to the updates in the proposed rule.   Related:Nation-State Threats Persist with Information Breach of US Treasury The unpublished version of the rule outlines proposed amendments to the Security Rule. The proposed changes are designed to align with best practices in cybersecurity, such as multifactor authentication, encryption of ePHI, network segmentation, and vulnerability scanning. Under the proposed rule, covered entities would be required to regularly review, test, and update cybersecurity policies and procedures, according to HHS.   “This rule represents a clear mandate for health care organizations, heightened accountability and an even greater emphasis on robust security protocols,” Shawn Hodges, CEO of Revelation Pharma, a national network of compounding pharmacies, tells InformationWeek via email. “Compliance will demand an ongoing commitment to quality control, frequent system audits, and advanced data protection measures.”  From Proposal to Practice  The proposed rule is scheduled to be published in the Federal Register on Jan. 6. Stakeholders will be able to share feedback during a 60-day public comment period. New regulations always come with the potential for pushback.   Related:How AI Can Speed Disaster Recovery “One of the things that people will push back on is it really is going to take resources, costs and people to implement a lot of these changes,” Brian Arnold, director of legal affairs at managed cybersecurity platform Huntress, tells InformationWeek.   Resource constraint is a common concern in the health care industry, particularly for rural health care organizations and smaller providers.   Anne Neuberger, the US deputy national security advisor for cyber and emerging technology, estimates that the proposed rule would cost $9 billion in its first year and then $6 billion over the following four years, Reuters reports.   “We faced similar apprehensions when HIPAA was first introduced over two decades ago,” says Hodges. “At the end of the day, these regulations exist to serve one purpose: protecting patients and their information. Every stakeholder in health care must recognize that this isn’t just a regulatory obligation — it’s a moral one.”  The public comment period will cross over into the incoming Trump administration, raising questions about the fate of the proposed rule.   Arnold points out that issues like cybersecurity, data privacy, and national security are typically considered more bipartisan than others. On the other hand, the Trump administration has signaled a desire to slash regulations. What that means for HHS and this rule remains to be seen.   Related:Bridging a Culture Gap: A CISO’s Role in the Zero-Trust Era “There is the chance that there won’t be a lot of tabling of this rule and maybe embracing it, but I do think it presents the opportunity where there could be some tweaks to it [that] you might not normally have gotten if it was proposed and then adopted under the same administration,” says Arnold. “I don’t expect these to be the final versions of the rules.”   Critical Infrastructure Under Siege  Critical infrastructure continues to be a target of threat actors, both nation state-backed groups and financially motivated criminal actors. Health care is just one of those targeted sectors that could be subject to new cybersecurity rules.   “The combination of increasing awareness of the overall vulnerability of critical infrastructure cybersecurity and the increased targeting of [critical infrastructure] by both cybercriminals and nation state threat actors like Volt Typhoon lead me to believe that we’ll see more rule updates like this one in the coming year,” says Trey Ford, CISO for the Americas at Bugcrowd, a crowdsourced cybersecurity company, in an email interview.   While the final version of the proposed changes to HIPAA and a timeline for adoption are uncertain, the threats the new rule aims to address remain a reality in health care.   “All in all, cybersecurity should be treated as a cornerstone of patient care. Protecting health information is not just an IT task — it’s everyone’s responsibility in health care,” says Hodges. source

By Lauraann Wood ( January 10, 2025, 10:07 PM EST) — Comcast and Viamedia clashed Friday over whether an Illinois federal judge should decide if Comcast’s platform connecting spot cable providers to advertisers is a one- or two-sided platform as she determines whether Viamedia’s market monopoly claims should go to trial, as the Seventh Circuit once envisioned…. Law360 is on it, so you are, too. A Law360 subscription puts you at the center of fast-moving legal issues, trends and developments so you can act with speed and confidence. Over 200 articles are published daily across more than 60 topics, industries, practice areas and jurisdictions. A Law360 subscription includes features such as Daily newsletters Expert analysis Mobile app Advanced search Judge information Real-time alerts 450K+ searchable archived articles And more! Experience Law360 today with a free 7-day trial. source