'Take a breath:' A CISO's Claude Mythos advice for CIOs

Anthropic's Claude Mythos announcement has raised fears among CIOs that the AI model will outperform humans at finding and exploiting software vulnerabilities.

Announced in April as Mythos Preview, Anthropic gave 12 enterprises, including tech giants AWS, Nvidia, Microsoft, Apple and Google, access to the tool as part of Project Glasswing. Project Glasswing aims to use Mythos Preview to secure the world's most critical infrastructure, and the partners will share learnings with the industry.

In this Q&A, Diana Kelley -- CISO at Noma Security -- speaks to TechTarget about what CIOs need to know about preparing for a new era of AI threats.

Editor's note: This Q&A has been edited for clarity and conciseness.

The headlines around Claude Mythos, AI and hacking have been alarming. Is the fear warranted, or is it being overplayed? 

Diana Kelley: I have seen some headlines that are very reasonable and balanced, some headlines that may not understand the truth and some headlines that make it feel a little like the sky is falling.

Everybody should take a beat and take a breath as they think about what this means, because the reality is that LLMs -- and Claude is one model, but there are others -- have vulnerabilities. LLMs have been enabling adversaries to find vulnerabilities very quickly. They can drive some automation of attack or reconnaissance work, and they now have tools that help them do that more easily, and in some cases more effectively.

What should CIOs do in response?

Kelley: For us on the defender side, we have a couple of things we very clearly need to do. First of all, we should be using these tools ourselves. We need to be using the autonomous, AI-driven vulnerability-finding tools to test our own systems, find where our vulnerabilities are and find where the attack paths are through our organization, so we can address those exposures before an attacker finds them.

Another thing that's really important for CIOs is technical security debt, such as unpatched vulnerabilities, the risks the organization knows are there that are exploitable, that haven't yet been addressed. This technical exposure, this legacy debt, is most likely going to be more of a problem now that attackers have better and cheaper tools to find where those holes are.

CIOs and CISOs should get together and look at their security debt and the overall hygiene approach to addressing that debt. Some companies have been depending on the fact that attackers haven't been able to find their way through, and I think we need to go back through with this new lens, understanding these new tools are out there, and really say: Is this debt we can continue to live with, or is this debt we now need to address?

How should CIOs and CISOs work together on this?

Kelley: Just sitting down in a room together and having a whiteboard session looking at what this means, and asking, "What are we going to do?" The more CIOs and CISOs can talk and be collaborators, the better. Sometimes they can be at odds, but now is the perfect time to have some of those conversations.

Is this primarily a problem for poorly defended organizations, or is everyone at risk?

Kelley: I think everybody needs to take into account that these systems are able to find vulnerabilities. Where you find a big difference is in organizations that don't have the time or resources to address their security hygiene and security debt, ensuring they're doing enough testing going forward. That's really where the difference is coming in.

Beyond tools like Claude Mythos, what other AI-related threats should CIOs be thinking about?

Kelley: Companies have said to their employees, "Go out and adopt AI and use it to do your job," but as they do this, they're potentially creating a new and different attack surface.

The CIO and the CISO may not have full visibility or observability into what tools are adopted, what agents are being used and what systems they're hooked up to. If you've used things like Copilot or Gemini, they can connect to productivity tools, databases and a lot of content. That both gives them data and lets them potentially take action.

The first thing that's really critical is to get that observability layer, to make sure you've got visibility into what people are doing, and then take action if something in use is going wrong. For example, if you see a tool deleting a production database, do you have the ability to stop that at runtime? Can you stop it at that action layer or not? First, seeing what people do and then getting some control to limit the blast radius -- that is absolutely critical for all CIOs and CISOs right now.

How should CIOs communicate about this to their boards?

Kelley: Boards are taking it very seriously. They have a big drive for efficiency from AI, and there are a lot of boards saying, "What are we doing? Are we taking advantage of this? Are we staying ahead of our competition?" Because there's also concern that if you're not using AI properly, your competition will.

What the board needs from the CIOs and CISOs is to understand how the risk translates to the business. Don't just come in and defend against a headline, and don't say this is all really scary and we should stop adoption, as that's not going to work.

Come in with visibility. Share the major initiatives in the organization that are using AI, explain how they're using it and be clear about what our critical third parties are using. Then, you can start explaining what's putting the company at risk, or what additional controls you may need to put around that use. You're not just fighting headlines. You're really talking about how to adopt rapidly without putting the business at excessive risk. And then it's a different conversation.

Any final advice for CIOs navigating this moment?

Kelley: If you don't have true visibility across your organization of what people are doing with AI, it's going to be very hard to build all these other blocks on top. You need that foundation. It needs to be very solid and up and running in real time.

On top of that, understand who within the organization has adopted what and why, ask what they're doing with it and work with the CISO to understand the risks around that adoption. Build the right controls, have the right policies in place, and get the right partners to help you.

AI adoption is here. It's just a matter of whether you have a good handle on it. Are you navigating through the choppy waters and going to get to the other side, or are you going to get some water in the boat? Visibility and collaboration are going to help a lot.

Harriet Jamieson is a senior manager of custom content and writer for the IT Strategy team at TechTarget.