The brief for security leaders has changed. It used to be enough to reduce risk and keep the lights on. Now you are expected to enable AI adoption, connect more “things” to the network, modernize cloud at pace and still demonstrably reduce exposure, often without the comfort of ever-expanding budgets.
In that environment, innovation is not a nice-to-have. It is a control. When it is governed well, it reduces risk, improves resilience, protects your people and accelerates business outcomes. When it is unmanaged, it becomes shadow IT, tool sprawl, and fragile architectures that increase the blast radius of the next incident.
The solution is not to simply add more tools, more processes or more meetings. The solution is to bring discipline to innovation, so that experimentation becomes safe, repeatable and outcome-driven. As Marco Túlio Moraes recently noted in a CSO op-ed, while “discipline is the new power move in cybersecurity leadership,” the power move is often subtracting clutter and focusing on what actually reduces risk, rather than just adding more controls.
What follows is a practical framework to harness innovation without exposure, grounded in four outcomes CISOs are already accountable for: operational capacity, security advantage, risk containment and business velocity.
Use innovation to reduce burnout, not to create side quests
Burnout is not a wellbeing footnote. It is an operational risk. The burnt-out analyst misses context. The disengaged engineer stops iterating. The overworked incident responder becomes reactive and brittle. Over time, that degrades detection quality, increases mean time to remediate, and drives attrition. You are not just losing staff, you are losing organizational memory and consistency. The 2025 ISC2 Cybersecurity Workforce Study found that almost half (48%) of respondents felt exhausted from trying to stay current on the latest threats and emerging technologies, and 47% often felt overwhelmed by the workload they were expected to bear.
Innovation is one of the most effective tools a CISO has to counter this, but only if it is aimed at eliminating toil.
Start with one blunt question: Where is judgment being wasted?
If your team spends significant time copying evidence into tickets, chasing asset owners, manually enriching alerts, repeating the same triage steps or building reports by hand, you have found your first innovation backlog. Automate the routine, standardize the repeatable and reserve human attention for tasks that require reasoning.
Then make innovation a capability accelerator, not a distraction.
Give people ownership of meaningful improvements that sit within their domain and have an operational endpoint. Examples include:
A detection engineer owning “detection as code” patterns and test harnesses
A threat hunter owning telemetry quality improvements and query optimization
An incident responder owning tabletop iterations and runbook hardening
A cloud security lead owning guardrailed landing zone enhancements
The critical constraint is this: every experiment needs an exit plan. Either it becomes a supported capability, or it is retired cleanly. Nothing drains teams faster than abandoned pilots that turn into “innovation debt” and hidden support burden.
In the age of AI, not innovating is now a greater risk than innovating carefully
AI has shifted the economics of offense. Adversaries can scale reconnaissance, tailor social engineering, generate variants and accelerate capability development with far less effort than before. The defensive posture that worked when change was slower will not hold. Public reporting has already highlighted this shift, including Europol’s ChatGPT – The impact of Large Language Models on Law Enforcement, which outlines how LLMs can accelerate fraud, impersonation and social engineering at scale.
The right answer is not “AI everywhere,” it’s “AI where it changes the risk equation without creating a new blind spot.”
Used well, AI-enabled innovation can compress time-to-judgement and increase defensive iteration speed:
Triaging faster by summarising context, correlating signals, and proposing next investigative steps
Accelerating detection engineering by generating queries, parsing log formats, and drafting test cases
Strengthening readiness by generating realistic adversary emulation variants for purple teaming
Improving resilience by helping teams produce clearer incident comms and decision logs under pressure
The obvious warning is also real. AI can be wrong. It can be manipulated. It can leak sensitive context if data boundaries are weak. AI should be treated like any other high-impact component: scoped, tested and governed.
The secure-by-design principle here is simple:
Minimize the data you provide to models, by default
Apply context-aware, proportionate controls to the data you provide to models, rather than blanket restrictions that push users to unmonitored alternatives (a dynamic now playing out with shadow AI)
Keep humans in the loop for high-impact actions until you have proven safety and repeatability
Make outputs auditable, including prompts, inputs and rationale for decisions
Treat adversarial AI risks as first-class threats, including prompt injection and data leakage pathways (as captured in the OWASP LLM Top 10)
Use a shared taxonomy (for example, MITRE ATLAS) to map likely adversarial AI techniques to your controls and tests
Demand supplier transparency on model provenance, retention and controls if you use third-party platforms
If you need a starting point, NIST’s AI Risk Management Framework (AI RMF 1.0), and its companion Generative AI Profile, provide a practical structure to govern, map, measure and manage AI risk.
In other words, the risk is not “using AI.” The risk is using AI without design discipline. Innovation without exposure is exactly that discipline applied to modern tooling.
Build a safe runway for experimentation, and make it secure-by-design for AI, IoT and cloud
Most organizations fail at innovation in one of two ways. They block it, so the business routes around security. Or they allow it to sprawl, creating exposure through uncontrolled pilots and vendor proliferation. There is a third path: Enable by design, with controls invisible enough to preserve velocity but intelligent enough to prevent data walking out the door.
The alternative is a safe runway: A repeatable operating model that makes experimentation easy while making new exposure hard.
This is where secure-by-design becomes practical, not philosophical. It means defining guardrails that are standard, pre-approved and baked into how teams build.
For AI, your runway is governance and boundaries.
What data classes are permitted for which AI use cases
What must be redacted or summarized before use
What is logged and retained, and where
How models are evaluated, including security testing and red-team scenarios
Where AI can advise versus where it can act
Visibility into the AI tools your people actually use, not just the ones you have sanctioned, because blocking a handful of apps does not prevent the long tail of shadow AI usage
For IoT, your runway is lifecycle control and segmentation. A useful baseline to anchor “secure by design” requirements for device capability is NISTIR 8259A (IoT Device Cybersecurity Capability Core Baseline).
Device identity and authentication as a baseline, not an enhancement
Secure update mechanisms, firmware integrity and the ability to revoke trust
Network segmentation that assumes compromise is inevitable
Asset inventory that stays current and feeds monitoring
A plan for end-of-life, because unmanaged devices become permanent liabilities
For cloud, your runway is guardrailed architecture. A practical reference point for mapping those guardrails to recognized controls is the Cloud Security Alliance Cloud Controls Matrix (CCM) v4.1.
Standard landing zones that enforce identity, logging and network boundaries
Policy-as-code gates that prevent drift and misconfiguration at speed
Secure CI/CD pathways that stop secrets, keys and risky configurations from shipping
“Golden path” templates that teams can copy, rather than inventing new patterns in isolation
When these guardrails exist, governance can move at the speed the business needs. You are no longer negotiating the basics on every project. You are asking, “Is this use case in scope for our runway, and do we have the controls that make it safe to scale?”
That is what embedding cyber leadership at the innovation stage looks like in practice. It is not attending every meeting. It is owning the design patterns and decision frameworks that the organization uses before risk is locked in.
Innovate to reduce friction, because friction is what creates shadow IT and long-term exposure
A large proportion of enterprise exposure is behavioral, not malicious. Teams take risks when secure choices are slow, unclear or unavailable. Every time security creates friction without providing a usable alternative, the business invents a workaround. That is how shadow IT becomes “just how things get done.” GenAI is the most visible example today: ban ChatGPT and employees move to lesser-known tools or personal accounts, and you lose both control and awareness (as seen in the rise of unauthorized AI use).
Innovation, when aligned to business outcomes, is exposure reduction through usability.
This is where CISOs should behave like platform leaders:
Build self-service security capabilities that reduce queues, such as standardized secrets management, approved identity patterns and reusable logging pipelines
Publish golden paths for delivery teams, so the secure route is also the fastest route
Rationalize tooling, because overlapping tools increase operational load and decrease signal quality
Measure adoption, because a control that is not used is not a control
The goal is not to remove governance. The goal is to remove unnecessary friction so that secure-by-design becomes the default behavior of the organization.
A discipline overlay: Run innovation like a portfolio, and prove what changes outcomes
Innovation without exposure requires one more layer: discipline in measurement and prioritization. This mirrors the broader industry push for secure-by-design and secure-by-default accountability, including CISA’s Secure by Design pledge (summarized CSO senior writer Jon Gold in “CISA inks 68 tech vendors to secure-by-design pledge — but will it matter?“).
Treat innovation like a portfolio of risk-reduction investments:
Define the business outcome you are protecting (time-to-market, uptime, fraud loss, customer trust, regulatory posture)
Define the security outcome you are shifting (attack surface reduction, detection coverage, response speed, blast radius containment)
Define the operational outcome you are improving (toil reduction, fewer false positives, better prioritisation, healthier on-call)
Then measure what changed. If you cannot show movement in these metrics, you have activity, not progress.
A simple 90-day plan to start:
Days 1 – 30: Establish the runway
Quantify toil and burnout signals in your security operations and engineering workflows
Define standard guardrails for AI, IoT, and cloud, including data boundaries, identity, logging and segmentation
Publish two or three golden path patterns that teams can reuse
Set a fortnightly innovation review that focuses on design risk early, not sign-off late
Days 31 – 60: Run two pilots with clear exit criteria
Pilot 1: Delete toil in an operational workflow, and measure the time returned to the team
Pilot 2: A secure-by-design pilot in emerging tech, such as an AI assistant with strict data boundaries, an IoT segmentation model or a cloud policy-as-code gate
Days 61 – 90: Operationalize, rationalize and standardize
Turn what worked into supported platform patterns and documented standards
Retire what did not, to avoid innovation debt
Measure adoption of golden paths and reduction in exceptions, alongside operational outcomes like queue health and response times
Closing thought
Innovation is already happening in your organization. The only question is whether it happens inside your guardrails, aligned to business outcomes, or in the shadows where it becomes exposure.
For CISOs, the leadership move is disciplined innovation: Protect your people by deleting toil, keep pace with AI-enabled offense, embed secure-by-design principles into AI, IoT and cloud from the start, and reduce friction so the business stops routing around security. Do that consistently, and innovation becomes one of your strongest controls, not your biggest risk. The organizations pulling ahead are the ones that made GenAI safe to use at scale, with controls that move at the speed of their employees, not the speed of the next policy review cycle.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?
No Responses