The ever-changing cybersecurity landscape has long kept CISOs on their toes and now AI is bringing new challenges in how security teams operate and innovate. In some cases, the technology is even changing how they are perceived.
AI capabilities are increasingly being used in cybersecurity programs, according to Deloitte’s Future of Cyber Survey of US cyber decision-makers, with 43% of respondents using AI in their cybersecurity programs to a large extent.
This is helping CISOs gain more influence among an increasingly cyber-savvy C-suite: Almost one-third of respondents noted CISO involvement in strategic conversations about tech investment, the Deloitte survey says.
Still, the change is gradual, stresses Joe Oleksak, a partner at Plante Moran, an accounting and wealth management consultancy.
“After almost 30 years of cybersecurity consulting, I can say with confidence that AI hasn’t revolutionized security organizations — but it is gradually reshaping how they operate,” he says.
The biggest change Oleksak has seen is the growing realization that speed has become the defining factor. Security teams cannot take their foot off the pedal though and think that AI is a magic bullet, he contends.
“AI accelerates everything, both attacks and defenses, which means the fundamentals matter more than ever,” Oleksak says. “Provisioning, permissions, network segmentation, even what information is stored in shared folders must be closely managed, because AI magnifies every mistake.”
This is where discipline comes in. “Organizations that have invested in security over time are seeing efficiencies by layering AI-driven tools into their workflows,” Oleksak says. “But those who haven’t taken security seriously are still stuck with the same exposures they’ve always had. AI doesn’t magically catch them up.’”
In fact, because attackers are using AI to make phishing, scanning, and deepfakes cheaper and faster, Oleksak adds, the gap between mature and unprepared organizations is widening.
Here is a look at how CISOs are re-examining their security organizations to keep up with the pace and potential of AI as the technology becomes a more frequent part of their strategies.
Shifting C-suite dynamics
Deneen DeFiore, vice president and CISO at United Airlines, says that unequivocally AI has changed the nature of her relationship with the rest of the C-suite.
“AI has elevated cybersecurity into a strategic business conversation. I’m working more closely with other executives to ensure security is built into AI initiatives from the start,” she says. “It’s no longer just about protecting infrastructure — it’s about enabling innovation safely, building trust, and helping the business move faster with confidence.”
The shift has also occurred, she says, because of the airline’s commitment to responsible AI. “We’re focused on deploying AI ethically and transparently, with cybersecurity playing a central role in ensuring accountability, fairness, and resilience. This shared responsibility across the C-suite is reshaping how we lead and how we innovate.”
United Airlines
Much of this shift has to do with organizations having already seen what happens when security is treated as an afterthought, Oleksak notes. This occurred across the industry during the rollout of the internet in the 1990s, and Oleksak believes AI can follow the same pattern if C-suite dynamics don’t change.
“We cannot afford to repeat those mistakes,” he says. “For AI to be deployed responsibly, the CISO must be at the center of strategy and execution. A security-first approach, led by the CISO, and sponsored by executive management, is the only way to ensure AI strengthens rather than undermines the enterprise.”
Reshaping cyber-IT collaboration
The advent of AI has also changed how IT works with the security organization, shifting the focus from reactive security to proactive, strategic collaboration, DeFiore says.
“We’re now embedding cybersecurity into AI initiatives from the start, working closely across teams to ensure innovation is both safe and ethical,” she stresses. “Our commitment to responsible AI means every solution is designed with transparency, fairness, and accountability in mind.”
Jason Lander, senior vice president of product management at Aya Healthcare, who manages security for the organization, is also seeing a change in the dynamics between cybersecurity and IT.
“AI is noticeably reshaping how security and IT departments collaborate, streamline workflows, blend responsibilities, make decisions and redefine trust dynamics,” he says. “Our IT operations have become more intelligent and proactive. Our security team is gaining operational support and better visibility.”
While Plante Moran’s Oleksak doesn’t believe AI has significantly changed how most security organizations work with IT, the technology has begun to shift expectations incrementally, he’s seen. “IT teams increasingly assume security can move faster because AI accelerates analysis and detection, and boards are starting to see the CISO as a more strategic role,” he says.
At the same time, Oleksak doesn’t think there is enough recognition that the CISO brings a fundamentally different perspective than IT.
“IT’s focus is on speed, efficiency, and enabling the business, while the CISO’s focus is on protecting the business. That distinction is often misunderstood,” he maintains. “As AI introduces powerful new risks, from deepfakes and AI-driven phishing to employees unintentionally exposing sensitive IP through AI queries, only the CISO is positioned to anticipate and mitigate these threats.”
Jill Knesek, CISO of BlackLine, reports to the financial software company’s CIO. As she sees it the teams have always worked closely, but AI has taken that relationship to the next level.
“Now, we have to be aligned on everything we do,” says Knesek, who was previously an FBI agent in the Cyber Crimes Squad and CISO of Mattel. This is because AI tools add risk and allow for opportunities, she says.
Transforming the nature of work
AI is enabling various improvements at Aya Healthcare, including the ability to streamline and automate repetitive tasks, Lander says, thereby evolving how security work gets done.
“AI tools help retrieve data faster and expedite decision-making, which frees up team members’ time to focus on more strategic challenges,” he says. “We continue to upskill and train employees on new AI processes and tools, streamline systems integrations, identify immediate threat detection quicker, improve processes, and ensure a greater focus on overall security, and data governance and access.”
United Airline’s DeFiore echoes that, saying AI now handles the noise by triaging alerts, surfacing anomalies, and automating repetitive tasks. This enables her security team to focus on strategic analysis, threat modeling, and resilience planning. “It’s made our operations faster, more focused, and more impactful.”
Lander says AI has even reshaped his daily work by placing an emphasis on process automation, prompting him to reassess past organizational choices and enhance strategic priorities.
“It requires a deeper knowledge in governance and risk, aligning AI capabilities with business objectives and balancing innovation with risk management,” he explains. “All of the investments we’re making at Aya are 100% mission-driven. Our innovative technologies ensure hospitals and healthcare facilities have the very best clinician when and where they’re needed most, while giving them time to focus on what’s most-important: patient care.”
BlackLine’s Knesek is zeroing in on her security operations team as the biggest use case for AI because it requires a lot of overhead. Blackline has its own 24/7 security operations, and Knesek plans to put some security operations engineers in the company’s India office to get better coverage overnight and on weekends.
“That’s one area where we’re going to leverage the AI capability so we don’t have to hire as many people to provide that level of coverage across the globe,” she says.
The adoption of AI tools at Plante Moran “reflects a simple reality: The best way to combat AI-enabled threats is often with AI-enabled defenses,” Oleksak says. But as with all cybersecurity initiatives, technology is only one part of the solution, he points out. A sound defense begins with training and culture.
“We’ve made a deliberate effort to educate all employees on both the capabilities and the risks of AI, so they understand why our security protocols and policies matter,” Oleksak says. “We don’t want employees to fear AI — it’s software, and like all software it has vulnerabilities.”
Like United Airline’s DeFiore, Oleksak says that what matters is how responsibly AI is used. AI tools can help employees move faster, but people need to remember the basics.
“For example, with deepfake voice farming now able to mimic executives, simple ‘old-school’ security practices like confirming instructions by phone are more important than ever,” he says.
Even though AI hasn’t changed the size or structure of security teams at the consultancy, it has changed the focus of their work: less on repetitive triage, more on judgment, communication, and reinforcing a culture of security, Oleksak says. “It’s made training, culture, and old-fashioned good judgment more important than ever.”
Making cybersecurity a more expansive effort
One of the complexities AI has introduced is the need to validate the technology and service providers’ own cybersecurity preparedness and processes — which has become a more expansive effort due to AI, Oleksak says.
“Deepfakes present enterprises with very real dangers, and they will only grow more prevalent,” he explains. “We are no exception and implemented redundant, often manual protocols to address these risks.”
For Aya Healthcare’s Lander, AI has introduced a host of new opportunities his teams are looking at. “We’re rethinking and redefining sensitive data. We’re also adopting better detection models and practices for distinguishing between human- and bot-generated behavior,” he says, adding that security professionals are also monitoring and planning for increased risk of security leaks.
At United Airlines, teams are being reorganized “to bring together threat analysts, engineers, and data scientists in more agile, collaborative pods,” DeFiore says.
“We’re hiring selectively for AI and machine learning expertise, but we’re also investing in our existing talent — training them to understand how AI works, how to validate models, and how to use these tools responsibly,” she says.
Feeling the pressure to work fast
Knesek remains concerned about AI’s unknowns, yet she says companies are pushing security teams to quickly build out new capabilities so they can say they have AI embedded in their products. Security and IT are “kind of the transportation team to lay the roads and guardrails so things don’t spin out of control,” she says. “We’re working at breakneck speed in some areas and the reality is, we don’t know exactly what the threats are. So, we’re trying to make sure that we’ve got the strongest rules in place.”
Jill Knesek, CISO, BlackLine
BlackLine
Echoing Oleksak, Knesek says she feels strongly about utilizing traditional security and having the right controls in place. Getting foundational security right will get you a long way, she says.
‘Then, as you learn about more sophisticated attacks … we’ll have to pivot our tooling and capabilities to those risks.” For now, “the most important thing for us is just to stay aligned with where the business is driving us very quickly [and] make sure today [security] is doing what it needs to do from a foundational standpoint,” she says.
Questioning the output
As organizations rethink their approach to security, Oleksak advises CISOs to not get “dazzled by the hype,” and remember that AI is not a strategy but a tool. “Treat it like any other technology investment,” he says. “Start with your risk priorities, then decide where AI can realistically help.”
That means remembering AI magnifies strengths and weaknesses. “If your asset inventory is incomplete, if your IAM controls are loose, or if your patching cadence is poor, AI will not fix those problems; it will accelerate the mess,” Oleksak says.
It’s also important to take a cautious approach to deployment. He advises piloting AI tools in narrow use cases — such as for alert triage, log analysis, and phishing detection — and measuring outcomes. “Focus on augmenting human judgment, not replacing it,” he says.
Security teams will also build trust through transparency. “Train your teams to question AI output and educate your executives and employees on both the benefits and risks,” Oleksak says. “The CISO’s job is not just to deploy AI tools, but to ensure the organization understands how they fit into the bigger security picture.”
Building coalitions
AI should be used where it helps reduce risk, improve speed, or strengthen resilience, says DeFiore. “Build partnerships early — especially with legal, data, and operations teams,” she says. “Invest in education across the organization and stay grounded in ethics. AI decisions have real-world consequences, so organizations should use AI with care and consider potential accountability implications related to how it’s used.”
While AI is a powerful tool, DeFiore says it’s people who make it meaningful. “At United, safety is our foundation. AI helps us deliver on that promise with more precision and agility — but it’s the human judgment behind it that drives trust, impact and long-term value,” she says.
AI is not something to be feared, but its singular impact on security must be respected, says Oleksak.
Lander emphasizes the need to recognize that AI isn’t just a new tool but also “a new domain that requires careful governance, thoughtful integration, strategic thinking, and continuous learning. By embedding security from day one, engaging cross-functional stakeholders, anticipating unique AI risks, and investing in people and adaptive frameworks, CISOs can guide their organizations to responsibly and confidently harness AI’s potential.” He recommends that CISOs should plan and prepare for the AI era by building coalitions, ensuring AI is not managed as a silo, but as a shared responsibility. “The next few years will require an open mind and a view that AI is like a new member of the team who makes everyone better,” Lander says. “The CISO of the future is not just securing systems, they’re securing AI-enabled business success.”
No Responses