AI in the trenches: NTT DATA and Cisco’s security strategies

In a recent NTT DATA–Cisco webinar, Vikesh Gumpalli, Senior Vice President of Technology Solutions and Sales for NTT DATA North America, and Jason Lish, Global Chief Information Security Officer at Cisco, discussed the evolving landscape of enterprise security in the age of AI.

Here are edited highlights of their conversation.

AI and information security

Vikesh Gumpalli: Every business leader wants to leverage AI. From a CISO’s perspective, how does the rise of AI affect enterprise information security?

Jason Lish: We can address this in three ways. First, how do we use AI to defend our enterprises and equip our security professionals with better tools and capabilities, even as threat actors use AI against us?

Second, how do we leverage AI’s capabilities to make enterprises more productive from a GenAI or agentic AI perspective?

Third, many of us are incorporating AI into our own products and services. Often it becomes a buy-versus-bill conversation. Do we use our own AI capabilities to customize existing tools and processes, or do we partner with service providers?

At the same time, we don’t want to forget about the many standard attacks we’re seeing — credential harvesting, credential reuse, phishing and more. AI is making these more accessible to threat actors. We still need to do basic blocking even while we’re on this AI journey.

VG: A fundamental question is how AI-ready an organization is from a security perspective. What would you recommend for such an assessment?

JL: Cisco has an AI Readiness Index focusing on different categories, from data health and cleanliness and on-premises or cloud infrastructure to governance and responsible AI. We look at all these categories from an AI perspective.

It’s easy to buy an AI tool like Copilot and help people to write better emails, but ultimately we ask, what is your business trying to achieve with AI? Is it speeding up your go to market, marketing more effectively, understanding your customers better or defending themselves? What are the use-case priorities?

• ALSO READ → Proactive risk management: The secret to securing your AI journey

Finding the balance between innovation and governance

VG: Balancing innovation and governance is becoming trickier. How do organizations do it, particularly when they want to use AI and other advanced technologies but still have the controls in place to maintain a robust security posture?

JL: First, consider the basic things that all organizations should do to drive responsible AI — for example, looking at ethics or bias, or adding security to avoid exposing customer or employee information.

Then, what are the regulatory and legal obligations in your industry? Governments are putting out regulations, and we have to be conscious of all the different requirements based on our business model.

When our clients assess the value of their AI use cases, it’s the first technology out there that spans all their business functions.

From a structural perspective, we want to integrate the whole organization — security, engineering, legal, HR — into a holistic governance model. This is what we’re doing at Cisco as opposed to having different, spread-out AI governance structures.

It’s important to foster innovation and move fast, but you also have to abide by the compliance, ethical and security requirements.

VG: When our clients assess the value of their AI use cases, it’s the first technology out there that spans all their business functions. It’s a strategic conversation where they say, “We’re doing a proof of concept to validate this, but what’s really driving the nudge from proof of concept to production is the impact of the technology on our business.”

If you want to assess the security posture, it’s a case of build or buy for AI tools. More and more clients are willing to build to protect the sovereignty of their datasets and have more control over the outcomes of their use cases.

JL: There are different elements to governance considerations, too. For example, how do you govern secure AI development? How do you govern tool selection? You’re incorporating AI from a procurement perspective all the way down to employee usage.

When GenAI was launched in the industry, everybody flocked to it and there were concerns about sensitive company information being uploaded to basically public systems. Companies had to decide whether to block these sites altogether, put up guardrails or offer training to employees, but making the right decision needs governance.

At Cisco, we’re working with our product team to incorporate capabilities into our security products that allow users to safely visit GenAI sites but prevent sensitive information from being uploaded. It’s all part of the governance journey.

Security by design

VG: You mentioned that you are working with your product teams at Cisco. How are you inserting yourself into the product lifecycle now that embedded security is becoming ubiquitous?

JL: We’ve introduced a billion-dollar fund for investing in AI companies. How do we as Cisco, a large technology provider, help shape and build the overall ecosystem when it comes to AI and provide funding to help expedite some of these innovations?

We’re also looking at ourselves, whether we build or buy. We’ve made a couple of acquisitions recently. The latest was Robust Intelligence, an AI research company that we’re using to add more advanced AI capabilities to our products. My team is part of the mergers and acquisitions due-diligence process.

Then, how do we help our customers to better use AI? We’ve just introduced Cisco AI Defense. It’s about securing AI models and understanding things like prompt injections, hallucinations and everything else to worry about from a data-leakage standpoint, and identifying these early on.

Lastly, we need to protect users no matter where they are in the world. Whether you’re in a Starbucks in Asia or at home in the US, we want to apply the same controls and capabilities. We’re using Cisco Secure Access to define seamless policies across geographical locations and devices.

For NTT DATA, as a global system integrator, how are you positioning yourself and your clients to address these challenges?

A systems integrator connects technologies and business outcomes so the client sees ROI and full adoption.

VG: NTT DATA has been involved in security for a long time, while AI has come to the fore in the past 18 to 24 months. We now have an AI practice of about 1,000 employees who are engaging with our clients to assess leveraging AI as a build or buy, which exposes their security postures.

It’s sparking conversations about their technology stack and infrastructure — how they can get to where they want to be. NTT DATA is the only full-stack system integrator out there. We and our partners work with our clients all the way from helping them plan their AI governance roadmap and security to choosing the right technology and providing operational and adoption support.

Our clients invest in these technologies to achieve something, whether it’s driving value for shareholders, employees or clients. We’re in a great position to help them do that.

Some clients may do it all upfront; some may want to do it piecemeal. Our average enterprise client has 10 to 13 security solutions and two to three times as many application solutions. Being able to stitch it all together into a security strategy is complex. A systems integrator connects technologies and business outcomes so the client sees ROI and full adoption.

JL: Systems integrators are an important part of the journey, and not only because they get to understand your business. A key part of the partnership is that organizational knowledge, but they can also compare and benchmark where others are going. When you’re leading an organization, you know your company, but you can’t always connect the dots between all the other pieces out there. That’s where partners like NTT DATA come in.

And when you need to do sprints around certain investments, whether it’s AI or anything else, having a partner to jump-start and expedite that is also important.

• ALSO READ → The double-edged sword of AI in cybersecurity

Why working with an expert system integrator matters

VG: What model do you see working effectively when clients use companies like Cisco and NTT DATA to help them drive ROI?

JL: Often, we partner with a general systems integrator to help us see what’s out there in the ecosystem and model the things that we need versus the things that aren’t needed.

Doing this upfront is important. It’s easy to go and buy a tool, but will we use 60% of its capabilities and shelve the rest, or can we maximize the investment to replace or consolidate something? Many of us are on that journey, and, as budgets become tighter, we have to be selective in what we bring in and what we can move out or consolidate.

VG: Adoption integration is an important point. Many enterprises will do the first tranche of the deployment but not keep it going or measure its effectiveness continuously. You end with scope creep and new-app creep, and you end up stuck in an environment that’s maybe even more complex than before.

JL: It’s like when you’re buying a house and find a four-bedroom place with three bathrooms, but you end up using only two bedrooms and a bathroom. The others sit empty, but you’re still cooling and heating them.

Don’t neglect the basics

VG: We talked about governance, technology and security postures. Give me one key takeaway and a call to action for our audience today.

JL: It goes back to one of the things we discussed: assessing where you are on this journey. It comes down to readiness, just like any other technology evolution. How ready is your organization to go down the AI path in all the different ways that I mentioned?

There are so many tools out there, but what talent do you need? What’s the technology infrastructure that you have or need to invest in? Do you need application modernization? Do you have strategic integrators to partner with to expedite your readiness journey?

And then, what are your key use cases for AI, and what are your priorities around these so you don’t get lost in the sea of marketing and distractions along the way?

VG: It’s important to do the basics well: having the right business case, making the right investments, focusing on governance and hygiene. No matter how the technology evolves, you’ll then be on a much better footing to take advantage of it fast and innovatively.

JL: That’s critical. If you’re not doing the basics well today and you have inadequate processes, excessive permissions or unclean data, applying AI will just exacerbate those issues.

Now is the time to use AI as a catalyst to get your backyard in order, so that when you go on that journey, you will mature a lot faster.