Attackers want one thing: credentials. To combat threats, enterprises are now looking at cutting the target area entirely, shifting from sign-in models to passwordless security.

Artificial intelligence makes phishing cheap to scale and security teams are now reporting surges in social engineering. That is why AuditBoard Inc. chose to remove passwords entirely so there was nothing left to phish, according to Rich Marcus (pictured), chief information security officer at AuditBoard.

AuditBoard’s Rich Marcus talks with theCUBE about risk and passwordless security.

“Anecdotally, we’ve seen a 400% increase in social engineering threats at AuditBoard. Part of that is because it’s just becoming more prolific in the world. AI is making it easier to launch these types of attacks,” Marcus said. “I think 70-to-80% of the attacks that we see appear to be some form of credential-compromise attack. Knowing that that’s what they’re after, we finally decided: Let’s just get rid of them. Let’s just not have the credentials and we don’t have to worry about it.”

Marcus spoke with theCUBE’s Rob Strechay and Rebecca Knight at Audit & Beyond, during an exclusive broadcast on theCUBE, SiliconANGLE Media’s livestreaming studio. They discussed the pressure for CISOs to adjust to both the promise — and potential threats — of artificial intelligence. (* Disclosure below.) 

Passwordless security and the new CISO playbook

AuditBoard pushed for passwordless security after a marked rise in social engineering attempts and months of vendor work to enable end-to-end passkeys. The rollout specifically relied on devices with Fast IDentity Online 2, or FIDO2, support. Employees liked the speed and information technology teams liked the quiet help desk, according to Marcus.

“It’s something that our employees really like,” he said. “The surprise twist to this implementation has been IT really likes it, too. If you think about it, if you don’t have a password, you can’t forget it.”

But the AI-informed attack volume isn’t the only thing expanding. The CISO remit is broader, too, according to Marcus. Leaders want security to advise on direction and help chart safe routes around risk while the business accelerates.

“More and more, they’re being called upon to be strategic business partners and to advise and consult the leadership on where do we go as a company to navigate around some of these tricky risks and threats,” he said. “To be an effective CISO today, you have to be really aligned with your leadership team; understand where the business is going.”

Just like the attack volume, the need for governance is rising. AuditBoard has announced RegComply to track regulatory change and acquired FairNow Inc. to add AI-governance content. Even so, audit and compliance remain toil-heavy, Marcus explained.  

“I think that the best thing we can do for folks in that situation is help them automate some of those manual tasks, free up some more time so they can be more strategic and figure out how they can be a business enabler,” he said. “If you ask any audit, risk or compliance practitioner, what they really want is to figure out how to manage risks so the business can be success.”

AuditBoard reinforces trust through established third-party certifications. That focus on regulatory tracking and AI governance helps customers keep pace with fast-changing requirements, Marcus explained.

“I like the engine analogy. I’ve often said … good brakes actually let the car drive faster,” he said. “We can understand where the risk appetite or risk tolerance [is] — give that level of control to the business — so they can go fast, hug the curves and get across the finish line safely.”

Here’s the complete video interview, part of SiliconANGLE’s and theCUBE’s coverage of the Audit & Beyond event:

(* Disclosure: TheCUBE is a paid media partner for the Audit & Beyond event. Neither AuditBoard, the sponsor of theCUBE’s event coverage, nor other sponsors have editorial control over content on theCUBE or SiliconANGLE.)

Photo: SiliconANGLE