Prophylactic AI Security: Why a Proactive Strategy Matters More Than Ever

-

Tigran Petrosian
Before working in IT security, I was a tournament chess player. One of my greatest influences was World Champion Tigran Petrosian—known not for flashy attacks, but for his near-supernatural ability to anticipate his opponent's plans and neutralize threats before they happened. That skill, known in chess as prophylaxis, is one that the world of cybersecurity desperately needs to adopt.

From Chess to Cybersecurity: The Power of Prophylaxis

Prophylaxis in chess is the ability to anticipate your opponent’s strategy and block it before they execute it. Petrosian’s style wasn’t dramatic or aggressive, but it was extremely effective. He rarely lost. In much the same way, cybersecurity professionals must anticipate and neutralize risks before they evolve into threats.

Unfortunately, the current state of information security remains largely reactive. A scan finds vulnerabilities; the team patches them. A penetration test reveals gaps; the team scrambles to close them. An audit is scheduled; the security team addresses the findings. A new program is launched; the team performs a risk assessment. It’s a constant game of catch-up.

The Reactive Trap

Many organizations settle for this reactive approach because their security teams are often understaffed and overextended. Completing the bare minimum required to keep business operations running becomes the norm. But this approach is insufficient in the face of rapidly evolving threats. The frequency and scale of breaches affecting even well-funded companies underscores this point: patching holes after they appear is not enough.

A Real-World Example: The Cloud Vendor

About a decade ago, I audited a cloud vendor being considered to host databases containing electronic protected health information (ePHI). The vendor offered a Desktop-as-a-Service (DaaS) solution but disclosed that they didn’t run anti-malware on their servers or virtual machines. Their rationale? Each customer’s data was isolated on separate VMs, and according to them, there was no way for malware to jump from one VM to another on the same host.

I told them such an attack might not exist yet, but it could in the future. They dismissed the concern. A couple of years later, the exact type of attack I described became a reality. I don’t know what happened to that company, but I’d bet they weren’t ready.

Why AI Demands Proactive Security

It’s time we start supporting and encouraging a prophylactic approach to security—especially when it comes to Artificial Intelligence. AI is no longer a futuristic idea; it’s deeply embedded in today’s enterprise environments. Yet many organizations still don’t have tailored AI security policies, AI-specific awareness training, or even team members with expertise in AI risk management.

AI is not just another tool you plug in and forget. It intersects with data privacy, retention, and governance. It affects and is affected by every process it touches. That means:

  • Change management procedures must account for AI models and updates.

  • Incident response plans should include AI failure modes and attack vectors.

  • Risk assessments and business impact analyses need to evaluate AI-specific threats.

  • Security audits and frameworks like SOC 2 and PCI must evolve to address AI-related controls.

The Path Forward: Anticipate, Educate, Secure

If organizations don’t begin preparing now—learning the risks, training their teams, and proactively building out their AI security capabilities—they’ll find themselves struggling to catch up. AI is evolving fast, and malicious actors are already exploiting it to stay ahead of defenders.

Petrosian once said, “I was naturally cautious and disliked situations that involved risk.” In both chess and cybersecurity, it’s not the flashy moves that win—it’s the strategic ones. Prophylaxis is what keeps you one step ahead.

Whether it’s AI, cloud infrastructure, or endpoint protection, security professionals must take steps to anticipate threats before they become incidents. Because by the time you’re reacting, the game might already be lost.

If your organization hasn’t started preparing for AI security, now is the time—because tomorrow might be too late.

Comments

Post a Comment

Popular posts from this blog

What Would I Do?

-
      My doctoral class is requiring me to post my assignments to this blog. I delete most of them after the grade is posted so that my blog will not be filled with these distractions from its purpose. However, I expect that I will leave this one up because I feel it is interesting.      The assignment for this week was "If you had unlimited time, money and talent, list 10 things you would do in each of these categories: Education, Job or Research, Philosophical/Religious, Travel and Home. Then, write a short post about what these articles reflect about you. Be sure to include at least 1 scholarly/peer-reviewed resource.".        Here is what I turned in. I'd be curious to get thoughts on it.  Education: 1)     Chess Lessons from a World Champion 2)     Attend Astronaut School 3)     Learn to Fly a Plane 4)     Learn Sky Diving, Deep Sea Diving, Mountain Climbing and S...
Read more

Remember the Mobile Devices

-
           There is probably no topic of contention that I encounter more as an IT security consultant and auditor than mobile device security. People and organizations just don’t want to secure themselves against mobile devices. The excuses are numerous: ·         Regulating employee mobile devices will lower morale. ·         Employees will think we are spying on them. ·         Other organizations allow their employees to use mobile devices freely. ·         No one worries about mobile device security anymore. I have even heard many of these statements from other information security professionals, including the last statement. DON’T BE FOOLED! Mobile devices are a serious risk to your organization. I have appeared on the news three times in the last few years to speak about attacks and threats targetin...
Read more