Overview
A government agency needed to introduce machine learning & artificial intelligence platforming and tools in order to modernise data science & analytics capabilities, as part of a data transformation programme. Because of the potential sensitivity of data and serious cybersecurity threats, this required that the highest information security standards be met.
Key challenges
Bringing AI platforming into a government environment presented some unique challenges:
- risks from the fast-changing data science ecosystem
- data risk in multi-tenant environments
- new roles in a highly-regulated & unionised HR environment
Outcome
To overcome these challenges an iterative and hands-on approach was required. This meant leading technical delivery with a small innovation team while coordinating organisational work. The innovation team’s work identified requirements for immediate, transitional, and final (business-as-usual) processes.
A collaborative approach achieved consensus across HR, Architecture, Management, Finance and HR. Newly-developed procedures and roles aligned with ISO 27001 security and data privacy requirements ensuring that the platform could meet compliance demands, achieve security certification, and go into production.
Challenges in depth
Managing risks from the AI & ML ecosystem’s rapid pace of change
Institutional organisations in banking & government have relied on stringent, but slow information security processes. Risk is often mitigated by offloading risk to enterprise security vendor tools.
But with ML & AI, tools change at an ever-increasing pace. Analytic software, libraries, and language models can go from academic and open-source environments directly into the enterprise.
The lifecycle from release to commercialisation, and finally going through governance teams that are often backed up can mean that tools are outdated by the time they reach the hands of data scientists. In the worst cases ‘temporary workarounds’ to dealing with bureaucracy can end up creating shadow IT – security nightmares.
Managing this conflict can leave organisations having to choose between good security & governance or risk falling behind.
Solutions
The first step in managing emerging risks is to recognise that static, gatekeeping InfoSec & risk management processes and tools alone don’t scale. The second is to understand that when dealing with innovative technology, your own people often have the newest information and understand risk the best. The key is managing it effectively.
A security-in-depth approach allows you to manage ever-emerging risk. This means combining technology, processes, education, and cross-organisational cooperation.
First, a cross-organisational team of security, architecture, and data science teams was put together to identify known and emerging risks.
Second, processes and roles were developed to share the load of risk management. By devolving some InfoSec responsibilities backed by clear authority and accountability, the organisation was able to multiply its capability.
Along with clear authority and roles for existing risk, a framework was developed for managing new risks or situations outside of agreed boundaries, with clear lines of escalation.
A shared risk framework allows an organisation to go fast when things look normal, and take a step back and slow down when dangers appear.
Finally, tools for automation such as code vulnerability scanning were put into a trial to understand how they would perform against the agreed risk posture. This ‘tools last’ approach ensured that the organisation wasn’t just buying technology and hoping for the best, but rather making informed decisions and managing risks in the best way possible.
Managing data risk in multi-tenancy environments
For many high-security environments such as banks and government, the process of introducing new technology is a one-way street where security and architecture review boards must vet new technologies in a once-and-done process. Systems and the data they carry are often tied very closely together during security and risking processes.
With platforming technology, this can be near-impossible. You can never know what the data is going to be ahead of time. Tenants will have varied requirements, contexts, and use-cases. In ISO 27001-speak: the asset can’t be defined, so risk can’t be managed.
Managing risks and controls in the data science and platforming worlds together can be an administrative nightmare for an organisation.
Solutions
Managing data risk in the data science and platforming world starts with borrowing a page from the SaaS world, where risk at the platform level is considered separately from that of individual client context.
First, generic risks to the platform could be agreed, impacted and managed by the organisation as a whole. Next, we looked at how the platform would be used, treating separate parts of the organisation as classes of customers. We identified requirements for the highest level of controls (where PII was required for exploratory analysis), for a small cohort. Implementation of the platform was designed to handle these different flavours of platform instances – for general use, more secure, and high-capacity.
Finally, we adapted existing data risking processes to the platform deployment and administration process, ensuring that nothing could fall through the cracks.
Treating information security as a product requirement rather than an administrative barrier can mean the difference between moving quickly and securely or sitting in an endless cycle of uncertainty.
Information Security, Organisational Planning & HR
To achieve and maintain certification, information security management systems need to be kept up-to-date, cover new systems, processes, and bring HR along for the ride.
But, HR teams aren’t always well-equipped to understand how roles evolve with technology. Architecture & Dev teams, on the other hand, are usually too busy implementing to think about organisational management. Finally, security teams are often too busy performing operational security tasks to think about skills development and organisational change.
This leaves HR teams scrambling to catch up with what’s happening ‘on the ground’ with security often further behind.
Solutions
Rather than working in a strategic or project management silo, new roles and skills were identified by doing. Working with the delivery team during a pilot programme identified roles and responsibilities that could be handled initially by a small group within an innovation team. Barriers to scaling were then identified.
A sound delivery strategy for AI platforming requires looking at all of the variables together – technology, people, and processes. Having hands-on experience with all three is a requirement when there’s no reference point.
To solve the scaling issues, HR and organisational change management were involved throughout the process to understand newly-identified skills and provide training for existing staff. Finally, new job specifications were developed while management took the discovered information into consideration for organisational change plans.