Summary

An experienced cybersecurity professional used ChatGPT to create a high-level cybersecurity roadmap for a friend's company.

Abstract

The author, a cybersecurity expert, explains how he assisted a friend ("John") in creating a simple yet effective cybersecurity strategy for his company. With a 24-hour deadline, John had no idea where to start. The author utilized ChatGPT to generate a focused and effective cybersecurity strategy based on NIST cybersecurity framework functions, including high-level strategic goals for 3-5 years, tactical goals for 6-12 months, and quick wins for immediate security improvement. The strategy was tailored to the company's specific requirements and provided practical tips for implementation.

Opinions

ChatGPT can be a useful tool for creating a high-level cybersecurity roadmap when given generic company information.
Cybersecurity teams without a proper roadmap can find themselves jumping from one issue to another without guidance.
Creating an effective strategy requires simplicity and answering essential questions about the current environment, future goals, regulations, and strategic/tactical objectives.
ChatGPT is a valuable tool for providing cybersecurity advice when prompted correctly.
ChatGPT should be used to generate a template for a unique roadmap rather than replacing analytical skills in cybersecurity.
Users should avoid sharing sensitive corporate information with ChatGPT.
The NIST Cybersecurity Framework is recommended for creating a cybersecurity roadmap.

I asked ChatGPT To Create a Cybersecurity Roadmap And This Happened

Can AI help with the strategic aspects of cybersecurity ??

If you have worked in Cybersecurity, you know creating a Cybersecurity roadmap is one of the most important (and challenging tasks) you can do.

It does not matter if you are a tech giant or a small startup. You WILL need a realistic and practical cyber-security strategy to guide your efforts.

Technology risks change rapidly, and cyber-security teams without a proper roadmap in place can find themselves jumping from one issue to another without any guidance.

A friend (let's call him John) who works in a tech company asked for my help.

His boss had asked John to provide a simple cybersecurity strategy for the company in the next 24 hours, and he had no idea where to start.

Let me show you how I used AI to make his life a bit easier!

Keeping It Simple (Stupid)

Before we jump into the AI bit .. the key element for creating an effective strategy is simplicity.

These are the questions John needed to ask himself:

What do I currently have in my environment?
What does good look like in the future?
What regulations do I need to comply with?
Which standard can I use to get a running start? (I personally love the NIST Cybersecurity Framework.)
How do I divide everything into strategic and tactical goals ??

Taking The Help of AI

First of all. I am not stupid.

I did not tell John to start dumping his company’s information into ChatGPT!

No, we just needed a quick, easy template that John could tailor for his company.

I already know what a high-level cybersecurity strategy looks like, so I used my favorite tool, ChatGPT, to help me.

ChatGPT has been getting backlash these last few months, but it is still a fantastic tool.

In addition to all the tech stuff it does .. it is surprisingly good at giving you cybersecurity advice, provided you ask it the right way.

This is the prompt I gave it.

I want you to take on the role of an experienced cybersecurity leader with decades of experience in strategic oversight of cybersecurity environments.

I want you to use your experience to generate a focused and effective cybersecurity strategy.

To generate the cybersecurity strategy, I want you to provide me the below:

• High level strategic goals for 3 to 5 years

• Tactical goals that can be accomplished over 6 to 12 months

• Quick wins that can provide me immediate security improvement

These are the key features of my company:

• We are required to follow the PCI DSS standard and ISO 27001.

• We have a mixture of windows and Linux servers and a hybrid environment comprising of on-prem and cloud.

• We are using the cloud primary for test environments.

• We have a SIEM solution that collects logs from all the servers

Please provide the strategy in a table format that aligns with the NIST cybersecurity framework functions and give me tips on how to implement each of the goals.

This is the high-level cybersecurity strategy that ChatGPT gave:

The tips for how to practically go about implementing this roadmap.

Not bad!

This was an excellent template that John could dump into Microsoft Word and tailor for his organization.

I turned him from a ChatGTP doubter to a fan by showing him how the tool can be a great way to help with the more strategic aspects of cybersecurity.

You can use the same, change the “These are the key features of my company:” section with your specific requirements.

Key points to keep in mind:

Do not put your corporate information into ChatGPT! Just give it generic information and use the high-level overview it generates to create your unique roadmap.
Remember, ChatGPT is there to help you, NOT replace your analytical skills in Cybersecurity. Do not just copy-paste the generic template into your environment, but build upon it.

I hope this was useful to you. Do clap and share this story if you found it beneficial !

Taimur Ijlal is a multi-award-winning, information security leader with over two decades of international experience in cyber-security and IT risk management in the fin-tech industry. Taimur can be connected on LinkedIn or on his YouTube channel “Cloud Security Guy” on which he regularly posts about Cloud Security, Artificial Intelligence, and general cyber-security career advice.

Check out my free Ebook on how to make more money in Cybersecurity here.