By Merritt Baer, Chief Security Officer at Enkrypt AI

The rapid evolution of AI technology in the last couple of years has transformed the way we work, do business, and secure our critical data. This applies across all sectors and specialties, with particular emphasis on data security and privacy in highly regulated industries. With AI permeating virtually every type of software, app, and system being used in enterprise organizations, CISOs face a new challenge that’s complex and multifaceted: how to decide which vendor to trust in the emerging, and already crowded, AI SOC market.

As someone who regularly meets with other CISOs, I wanted to share some insights about how you can best approach AI SOC vendors, what to look for in an AI SOC solution, and what broader contextual understanding will help guide you toward the right decision for your organization. AI is changing the nature of security work altogether, which directly impacts what AI in the SOC looks like in this brave new world.

New Technology Calls for New Metrics

When looking to invest in new software systems, stakeholders, including the Board and the rest of the C-suite, often expect to see key metrics for proof of ROI. The SOC is no exception. With no inherent expertise in this area, they look to the bottom line—for example, asking how much you’re able to reduce head count by investing in an AI SOC tool.

But this is a bit reductive. What you should be asking instead is how the solution will help your existing team work better. With AI changing the nature of work, we need new metrics to demonstrate how implementing AI across your security organization improves processes and outcomes.

For example, I recently met with the CISO of a financial services organization that’s using AI to relieve loan processors from menial daily tasks so they can focus solely on processing loans. This shift in work focus, slightly alters their role in the company. While this is a clear example of AI producing a positive change, it’s a change that would not be reflected in the traditional head count metric. This is the same within the SOC.  An AI SOC doesn’t necessarily reduce the need for people. It just means that the team you do have can  take more of a proactive vs. reactive stance.

The Changing Nature of Data and Security

One of the most important factors to consider when comparing AI SOC tools is that we’re not dealing with the same threat landscape that we were a year ago, or even a month ago. In a world where AI is everywhere, threats show up differently—and must be responded to differently, too. Security behaviors must continuously adapt if you want to stay ahead.

Constant change makes AI essential in the SOC. The question is, can you trust it to work completely autonomously? While I’m all-in on AI, I do believe that human oversight is essential. AI and machine learning can (and should) be trusted to handle volume-heavy tasks with greater speed and accuracy, but humans bring deep contextual knowledge to security work that machines simply can’t mimic. So, that’s the first factor to consider when comparing AI SOC vendors: is the solution fully autonomous, or does it keep humans at the helm?

Adapting to Your Specific Needs

One question I often hear from CISOs is, what are successful enterprises and SOCs doing right when it comes to AI? What are the applications, behaviors, and best-practices that similar organizations are using to deliver the best possible outcomes when deploying AI? While I’m always happy to talk shop with other security experts, it’s important to understand that each SOC is 100% unique, and what works at one organization may not work at another, even if they’re in the same industry and share traits.

The very nature of cyber security today demands tools that are fully customizable and adaptable to your unique needs. Change is constant. Even if an out-of-the-box solution does what you need it to now, it may not be able to meet your needs in the near future. Investing in a customizable AI platform enables you to incorporate it into your security infrastructure in a way that’s thoughtful, meaningful, and impactful, while also being fully adaptable as your SOC needs change. 

Data Processing: To Clean, or Not to Clean

Another important aspect of security operations in this new, AI-fueled world is that the very nature of data itself is changing. It’s proliferating rapidly, and coming from an ever-increasing array of sources—making much of the threat intelligence data your cybersecurity teams deal with unstructured.

Automation can help your SOC handle a higher volume of threat intelligence data. However, it needs to be able to connect all available data sources and tools together, and parse and analyze both structured and unstructured data where it is. The need to extract or ingest data before analysis slows you down, and that won’t cut it in today’s fast-moving threat landscape. When assessing AI vendors, be sure to ask if the proposed solution requires ETL. 

Once all that available data has been analyzed, you also need an AI SOC that surfaces timely, actionable insights. This will enable your security operations team to respond at speed, preventing attacks before the damage is done. It’s not about another tool to the ecosystem. It’s about separating the signal from the noise, enabling them to make smarter, more informed decisions about which threats to respond to first.

The Security of AI Itself

Finally, CISOs must carefully assess the security of the AI used by any vendor they’re considering for the SOC. The risks of AI are well known, which is why we’re seeing increasing data security regulations around its use, from the EU AI Act, to various state-based regulations in the US as well as standards laid out by regulatory bodies such as the International Organization for Standardization (ISO) and the Financial Industry Regulatory Authority (FINRA).

This means that we need repeatable, attestable, defensible — and auditable — security as table stakes for any AI SOC solution, no matter what industry or country regimes . But more importantly, consider how the AI vendor approaches security and safety. Can you trust them to protect your own network, applications, and data? Can you trust the data they use to train the AI? Are you certain they’ll never use your data for this purpose?

With more and more apps in your environment having AI features built into them, whether licensed apps or just the ones employees use in their daily work, the way we think about perimeters and content is changing. This dramatically reduces the time to successful lateral movement.