With obvious productivity gains at stake, more and more companies and professionals are embracing generative artificial intelligence. Just as marketing, finance and sales teams are turning to these platforms to boost operational efficiency, so too are information systems security managers (ISSMs). With ChatGPT, they now have a virtual assistant to help them with their day-to-day tasks.
What are the use cases applicable to the CISO profession? How to write effective prompts?
To find out, discover 12 ChatGPT prompts dedicated to this purpose in this article.
Note: Do not share confidential or sensitive data in your use of generative intelligence platforms.
Define the context in which you work with AI
Before writing your first prompts, it's important to define the context of your request by defining who you are, the environment in which you operate and the role played by ChatGPT.
"I'm in charge of information systems security for a company with 120 employees in the energy industry in France. You are an assistant CISO with 5 years' experience. Your answers should be concise, use a lexical field that can be understood by people with little expertise in cybersecurity, and should not include any emphasis. Replace the terms 'hacking' with 'compromise' and 'hacker' with 'cybercriminal'."
Keep in mind that the more detailed the context, the closer the answers to your prompts will be to your expectations.
Apply AI to governance issues
Ensuring effective governance of cybersecurity is often a complicated task for CISOs. With data sources often scattered throughout the company, and management tools sometimes ill-suited to the task, CISOs can quickly find themselves overwhelmed. Here are 5 quick tips for improving cyber governance within the company.
1. Analyze a law or directive
With the emergence of NIS 2 and DORA , anticipating new regulatory obligations is a prerequisite for CISOs.
To help you analyze these texts, you can ask ChatGPT to analyze politique as a whole, or a specific article of a legal text, in order to provide you with a summary tailored to your audience's level of understanding.
"Act as a cybersecurity expert with 10 years' experience. In this context, analyze politique XXXX with the aim of being able to summarize its challenges and new features to [my management / a business contact] with a [high / low] level of cyber maturity. In particular, I need to be able to explain what's new and what the impact will be in terms of investment in new cybersecurity products."
For more detailed answers, enrich the prompt with the following information:
- ask for an estimate of the compliance effort according to the politique chosen;
- specify your business sector ;
- indicate your estimated cyber maturity level ;
- list the conformities you are already monitoring.
2. Identify a technological solution based on a list of criteria
Once you've identified the technological building blocks you need to implement in your information system, it's time to do your technology watch. Here again, ChatGPT proves invaluable in helping you define evaluation criteria on which to base your research.
"Identify for me the criteria to be evaluated when choosing an [IAM / EDR / XDR...] type solution for a company in the [sector] sector with [list of constraints] constraints. These criteria should focus on protection, project feasibility and IS compatibility. Each criterion must be rated between 0 and 4 and accompanied by a description. To do this, integrate the constraints of our IS, which are : [List without going into detail the technical constraints of your IS] ".
3. Write a procedure
While ChatGPT will never write a finalized version of a procedure on the first try, the generative artificial intelligence can nevertheless help you draft the outlines.
"Write me a procedure detailing the actions a system administrator must take on the day an employee leaves the company. This procedure must take into account all the confidentiality and compliance risks associated with this type of situation. The procedure must not only detail the operations to be carried out, but also the control steps, defining for each the criteria for success/failure of the control".
To take things a step further, don't hesitate to include in your prompt any risks you have identified (Shadow IT, BYOD, etc.).
4. Writing a mail template
Is an employee violating one of the rules of the company's IT charter? Use ChatGPT to create a notification email template.
"An employee is violating the company's IT charter by printing documents for coloring purposes for his children. In order to notify him of his infraction, write me a template mail in a neutral and non-aggressive tone reminding me of the rules of the IT charter which are [integrate rule(s)]."
5. Writing a job description
Writing a job description is no easy task. It has to be both concise and attractive to the candidate. To do this, you can use the following prompt:
"Write me a job description for a CISO assistant position. Specify the typical tasks and skills required. The job description should give candidates an idea of what the job entails, but also stimulate their desire to find out more.
To find out more :
- Provide ChatGPT with your company's existing or similar job descriptions;
- detail the tasks you wish to entrust to this profile.
Use generative artificial intelligence to help you make decisions
ChatGPT is often seen as a simple executor: you ask it to produce, and it produces. A very limited view, because in reality this model can help you make decisions, broaden your vision and give you angles and skills you may not have. Here's how.
6. Build a cybersecurity awareness program
To enable ChatGPT to expand your vision, collaborate with it as you would with a member of your team.
"I need to build a cybersecurity awareness program. I'm looking for a communication angle that speaks to all the company's employees. Do you have any examples of communication strategies? Please feel free to suggest humorous angles, such as the fact that passwords are like underpants - they can't be lent. I'd like to send an e-mail to all my organization's users about good cybersecurity practices. Each e-mail should have a punchy subject to make it easier to read, and should present a best practice, a justification, a list of questions and answers (FAQ format)."
To improve your prompt, you can specify the frequency of campaigns or the themes addressed.
If you test this prompt, you'll realize that ChatGPT perfectly integrates the notion of humor into its results, with well-chosen campaign titles such as " Phishing: don't take the bait!"," Software updates: the antidote to computer viruses!" and " Your voice assistant: a bug in the living room?
7. Build a training plan
Instead of asking ChatGPT to write something, ask it to ask you questions, as in this example.
"I'm trying to build an ISO 27001 training program. The aim is to be able to train internal teams for a certification program. The training should take 3 sessions of 1 hour and should enable a user with no previous knowledge to master the basics of the standard and its application in a company. Do you have any advice for me on how to design a training program that won't be boring? To refine your answer, ask me some questions. Start with the first question".
8. Generate phishing email templates
As a CISO assistant, ChatGPT is the perfect collaborator for brainstorming. In this example, we ask ChatGPT to identify phishing scenarios.
"I'm looking to write phishing emails for internal awareness purposes with my employees. Do you have any ideas for phishing email scenarios that might be applicable to this project?"
To ensure the quality of the response, don't hesitate to define the type of employee who will receive this campaign. This will enable you to adapt the scenarios to your target's level of maturity.
9. Assessing skills
Competency assessment must be adapted to the employee's role and work environment. To this end, here's a prompt for ChatGPT to inspire you in the way you draft this questionnaire.
"I'm working on the creation of a cybersecurity best practice assessment questionnaire for company employees. My project is to design a 10-question quiz to measure whether employees have mastered good practices. I'd like you to advise me on which themes to tackle. Do you think that increasing the difficulty level is a good practice for this type of quiz? If so, what criteria would you use to increase the difficulty of the questions? Give me 3 examples of quizzes for different positions in the company (CEO, team leader, employee).
Automate your technical analyses
ChatGPT isn't just for writing content, it can also help you with operational tasks such as technical analysis of source code or weekly monitoring. These tasks can be automated using tools such as Zapier or Make. You will, however, need to pay for access to the Open AI API to be able to run prompts.
10. Audit source code to understand how it works
Are you faced with source code that you don't understand? To get out of this situation, use this prompt.
"Here's a source code whose structure I don't master, can you tell me how it works and what actions it generates? "
Note: although ChatGPT cannot determine whether a code is malicious, it can provide the information required to help you in this assessment.
11. Monitor the latest vulnerabilities published around a product
Would you like to be notified of the latest vulnerabilities in your company's equipment? ChatGPT can help.
"I own a firewall [model] from brand [brand]. Searching the internet, list for me the vulnerabilities of the last 30 days."
12. Monitor the latest CVEs
As with the previous prompt, ChatGPT can automate the search for the latest CVEs and summarize how it works.
"List me, by searching the Internet, the latest CVEs of the week."
It's important to remember that ChatGPT must be integrated into your monitoring tools as an imperfect source of information. As response size is limited, ChatGPT truncates the response.
Going further with GPTs
On November 6, 2023, Open AI launched assistant functionality in ChatGPT under the name GPTs.
As with the Apple store, Open AI enables all users to create specialized assistants around a theme.
For these assistants to be relevant, users must provide them with a large volume of data to analyze, enabling them to acquire expertise in the relevant field and formulate their answers based on this knowledge base.
In recent months, several GPTs have become available to cybersecurity professionals.
Here are some GPTs:
Note that these GPTs are published by private companies or unknown users. You should therefore keep a critical eye on the answers generated.