Not many CISOs can say that they’ve worked at a business that found prosperity during a global pandemic, or at a video communications company in the process of pulling off a major rebrand as an “AI first” giant, but Zoom CISO Michael Adams sure can.
Between Dec. 2019 and Apr. 2020, the number of daily meeting participants on Zoom increased from 10 million to 300 million. As a result, Adams—who joined Zoom in 2020 as a chief counsel before becoming an interim, then permanent CISO in 2022—told IT Brew that his early years at Zoom were focused around bolstering the software-as-a-service company’s security posture and security strategy.
“It became more cohesive [and] it became more focused,” Adams said. “There was better alignment.”
New direction. These days, things look a little different for Adams. In November of last year, the pandemic success announced that it was ditching its solely videoconference-friendly reputation by changing its legal name from Zoom Video Communications to just Zoom Communications, signaling the company’s desire to be considered an “AI-first work platform.”
Adams told IT Brew that Zoom’s ongoing identity makeover caused the company to amp up its security program. Currently, there are three main areas of focus in the company’s security strategy framework for AI: AI by Zoom, AI for Zoomies (Zoom’s nickname for its employees), and AI against Zoomies.
According to Adams, AI by Zoom focuses on the AI products and functionalities that Zoom has developed for its platform and its users. AI for Zoomies homes in on how employees are using various AI products and features.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“It is important to have a solid governance model about that for internal usage, so we’ve invested some time there,” he said.
AI against Zoomies centers around any malicious use of AI, including attacks against Zoom and its employees, as well as its customers. Together, Adams said the three areas serve as the company’s “highest priority” in its security program.
The company also continues to rely heavily on various frameworks and guidelines for AI and machine learning (ML) security, including the UK’s National Cyber Security Centre’s guidelines for secure AI system development and the National Institute of Standards and Technology’s AI Risk Management Framework. He added that Zoom has enhanced its secure development life cycle, as well.
“What we’ve actually done is we’ve built a product security AI/ML [framework], where we are internally measuring our maturity in that space as well,” he said.
Up ahead. Adams told IT Brew that there is plenty in the pipeline, but he believes Zoom’s AI security strategy is “very forward leaning.” He said that the company’s revamp has given it the opportunity to “aggressively” study where it can do better in its interactions with AI and ML.
“It’s created an opportunity for us to understand, right now today, what we need to do, and what we are doing to ensure product security, to ensure cybersecurity, and to ensure the right governance models within our company, so that we are responsible in all facets of how AI is used by us, used against us, and so forth as we carry forward,” he said.