Flyalone - Adobe
Lenovo CSO: AI adoption fuels security paranoia
Doug Fisher, Lenovo’s chief security officer, outlines the company’s approach to security and AI governance, and the importance of having a strong security culture to combat cyber threats amplified by the use of AI
Doug Fisher, Lenovo’s chief security officer, wears two hats. Not only is he responsible for the company’s overall security posture, he’s also spearheading the company’s artificial intelligence (AI) governance initiatives, applying the rigour of security protocols to the fast-moving field.
In a recent interview with Computer Weekly, he offered a glimpse into Lenovo’s security and AI governance strategies to help the company build and maintain trust with customers in a volatile digital landscape.
“I’m probably better described as the trust officer of the company,” said Fisher, noting the overarching goal of his dual roles. This focus on trust permeates every aspect of Lenovo’s security operations, from fundamental policies and employee culture to technical measures like penetration testing and red teaming exercises.
A key element of Lenovo’s strategy is what Fisher dubbed the “pantheon” view of security that includes policies, culture, infrastructure security, platform and product services security, supply chain security and physical security. All of these areas converge to protect data privacy and security, the ultimate priority for customers.
In terms of AI governance, Lenovo has established a centralised review process for all development projects, scrutinising them for ethical considerations, data privacy, intellectual property issues, data transfer compliance and, most recently, data sovereignty. “We’ve had nearly 600 projects go through our review process,” said Fisher.
Initially, around 30% of projects failed to meet the stringent criteria, but continuous training and feedback have dramatically reduced that number to 19%. He likened this process to the meticulous rules in Formula One racing, noting that even minor oversights could lead to significant setbacks and reputational damage.
Fisher’s team employs a range of security measures, including a secure software development lifecycle based on best practices from industry giants such as Microsoft, internal and external penetration testing, as well as red-teaming exercises designed to simulate real-world attacks. The company also actively engages with the security research community through a bug bounty programme, incentivising ethical hackers to identify and report vulnerabilities.
Read more about cyber security in APAC
- The Asia-Pacific region is a cyber security hotspot, enduring significantly more cyber attacks than the global average, with AI-powered threats and skills shortages exacerbating the problem.
- CrowdStrike CTO Elia Zaitsev explains how the company’s multi-agent AI architecture can help enhance analyst efficiency and tackle cyber security challenges.
- Sophos found three distinct clusters of activity targeted at a high-level government organisation that appeared to be tied to Chinese interests in the South China Sea.
- The National University of Singapore’s Safe initiative has strengthened the security of IT systems and end-user devices while prioritising user experience through passwordless access.
Acknowledging the critical role of threat intelligence, Fisher said Lenovo also contracts threat intelligence suppliers to monitor emerging threats and tailor its defences accordingly. In addition, it operates its own security operations centre (SOC) for some products and services, while also tapping external SOC capabilities.
Addressing the ongoing challenge of talent shortages in the cyber security industry, he noted the importance of cultivating a strong security culture within Lenovo. “Your biggest asset can be your biggest vulnerability,” said Fisher, referring to the potential for employee negligence to create security breaches.
To mitigate this risk, Lenovo mandates annual security training for all employees, including the CEO and executive staff, and strictly enforcing compliance. This extends to managing network access, with a zero-trust policy and stringent controls on connecting devices to the network. Fisher’s team also prioritises vulnerability remediation based on a risk assessment framework, focusing resources on the most likely and impactful threats.
The rise of generative AI and the potential for employees to use unsanctioned third-party tools presents new challenges in what’s known as shadow AI. Lenovo has responded by creating a “whitelist” of approved AI tools, streamlining security reviews, legal compliance and licensing agreements. Access to these tools is further restricted to authorised employees to prevent misuse and ensure compliance with licensing terms.
As a key supplier of servers, devices and systems used by some of the largest companies in the world, Lenovo has implemented a “transparent, trusted supply chain” programme, including security reviews of all suppliers and components.
It also controls physical security at its manufacturing facilities, and employs tamper-resistant packaging and tracking mechanisms for its products, effectively creating a chain of custody from factory to customer. “We believe that every step in the supply chain is a risk, and we work to eliminate as much risk as we can,” said Fisher.
Asked about some of his most pressing concerns, he pointed to the accelerating pace of sophisticated attacks fuelled by AI. Fisher highlighted the growing use of deepfakes and social engineering tactics, underscoring the importance of having a strong security culture to combat such emerging threats. “The acceleration of AI keeps me up more than anything,” he said, adding that he takes a “paranoid” approach to security as espoused by former Intel CEO Andy Grove, who noted that only the paranoid will survive.
