{"id":3155,"date":"2025-05-13T22:52:33","date_gmt":"2025-05-13T22:52:33","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3155"},"modified":"2025-05-13T22:52:33","modified_gmt":"2025-05-13T22:52:33","slug":"4-critical-leadership-priorities-for-cisos-in-the-ai-era","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3155","title":{"rendered":"4 critical leadership priorities for CISOs in the AI era"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Everyone knows CISOs aren\u2019t really working that hard in those cushy offices. Heck, they\u2019re only thwarting\u00a0compliance\u00a0nightmares, blocking\u00a0costly cyberattacks, protecting employees from predatory\u00a0phishing emails<\/a>, and now\u00a0dodging the feds. You know, just the little things needed to safeguard an organization\u2019s information assets.<\/p>\n

Kidding, of course.<\/p>\n

In fact, as\u00a0artificial intelligence (AI)\u00a0and\u00a0generative AI<\/a>\u00a0(genAI) permeate and transform businesses,\u00a0chief information security officers\u00a0are adding even more responsibilities to their already jam-packed workloads. They\u2019re learning how to manage the security challenges that AI presents<\/a>, capitalize on its opportunities, and adapt to new ways of working \u2014 all of which demand new leadership priorities in this fast-moving and constantly changing era of AI.<\/p>\n

\u201cAI has matured to the extent that it\u2019s now in every aspect of our lives,\u201d says Candy Alexander, CISO and cyber risk practice lead at technology advisory company NeuEon. \u201cAnd while the impact has been largely positive for organizations, it\u2019s also more challenging, particularly for CISOs. They need to make sure they\u2019re putting the appropriate parameters around the use of AI and\u00a0machine learning<\/a>, but without squelching creativity and innovation, and that\u2019s a big challenge.\u201d<\/p>\n

To keep pace with change and maintain a\u00a0resilient organization, CISOs must prioritize new leadership strategies, both within their own teams and across the greater business. These four focus areas are a good place to start.<\/p>\n

1. Guide the C-suite<\/h3>\n

As businesses rush to implement AI effectively, CISOs can play an important role in guiding the C-suite on a variety of matters, starting with vetting AI use cases<\/a>, Alexander says. \u201cThese are conversations with technologists, security, and the business. You can\u2019t just jump into the AI game without really understanding what it is you want to do and how you want to do it. You want to improve your customer experience? Great. From there, you can build that approach program but also have protections in place from the start.\u201d<\/p>\n

CISOs should also lead the discussion around\u00a0data and AI, says Jordan Rae Kelly, senior managing director and head of cybersecurity for the Americas at business management consulting firm FTI Consulting. \u201cThe CISO needs to drive conversations around where data is stored, how it\u2019s ingested, and\u00a0what laws are impacted\u00a0by the use of that data. CISOs used to only need to understand the business needs of the data, but now they need to understand the business needs and the implications.\u201d<\/p>\n

Similarly, CISOs should be involved in conversations around\u00a0governance<\/a>, Alexander adds. \u201cAI is really shining the light on the need for data governance. Who owns the data? Who consumes the data? Who should have access to it? How will the data life cycle morph and change? How will you protect that data? These are all conversations CISOs need to be part of.\u201d<\/p>\n

2. Emphasize organizational literacy<\/h3>\n

Organizations are experimenting with AI in a number of ways, from writing marketing copy to developing code, but these use cases are not always recognized from an enterprise perspective, Alexander warns. Employees, for example, may not understand that\u00a0unauthorized uses of AI<\/a> can put sensitive corporate information at risk.<\/p>\n

\u201cWithout guardrails, you could have people inputting confidential information into a generative AI [tool], which then becomes part of the language training model. It\u2019s absolutely terrifying.\u201d<\/p>\n

CISOs should treat AI as they would any other\u00a0awareness program\u00a0and ensure that all employees have a baseline understanding of what AI is and how it relates to their role. \u201cYou need to be able to educate everybody in the organization around the AI concept, and [make sure they] stay updated,\u201d said Gatha Sadhir, global CISO at Carnival Corporation, in an\u00a0interview<\/a> with the SANS Institute.<\/p>\n

CISOs should focus this corporatewide awareness on how AI is used across various business processes, the ethical implications of AI, the organization\u2019s policies on responsible AI use, and the potential security threats and best practices for mitigating them.<\/p>\n

For guidance on driving organizational literacy in AI, Alexander recommends reviewing resources from industry organizations, such as the Cloud Security Alliance (CSA)<\/a> and\u00a0Open Web Application Security Project<\/a>.<\/p>\n

3. Prioritize education and training in security teams<\/h3>\n

A big challenge that security organizations face is having both breadth and depth of knowledge in areas like AI, which are rapidly changing, Kelly says. \u201cCISOs have a really hard job of managing a team that is probably already overburdened, overtaxed, and responsible for a wide range of topics \u2014 and now those topics are changing quickly because AI is changing so quickly. There\u2019s a lot of pressure to educate and make sure teams are current and fresh on topics so the next evolution of a toolkit doesn\u2019t put them in jeopardy.\u201d<\/p>\n

In fact, according to a 2024 report<\/a>\u00a0from the CSA, C-suite executives demonstrate a notably higher (52%) self-reported familiarity with AI technologies than their staff (11%). This goes against the conventional thinking we hear about security leaders and AI, and the assumption that \u201ceveryone is scared,\u201d said Caleb Sima, chair of CSA\u2019s AI security alliance, in a recent\u00a0interview<\/a> with VentureBeat. The survey contests the notion that every junior staffer, just by virtue of age, is somehow fluent in the latest iterations of AI, and that \u201cevery CISO is saying no to AI, it\u2019s a huge security risk, it\u2019s a huge problem.\u201d If anything, it\u2019s a good reminder that corporate-wide awareness strategies (discussed above) must include specific education initiatives for IT departments.<\/p>\n

Though teams may already be stretched thin, it\u2019s important for CISOs to intentionally build dedicated time into their teams\u2019 schedules for focused training in AI<\/a>, Alexander says. This training should prioritize the latest AI tools and technologies, their implications for cybersecurity and team members\u2019 specific roles, and emerging threats.<\/p>\n

4. Create a culture of curiosity<\/h3>\n

While it\u2019s important for CISOs to prioritize AI training within their teams, it\u2019s also important to encourage their teams to experiment with AI, Sadhir told the SANS Institute. \u201cYou have to cultivate a culture of learning and innovation. In AI, leaders have to lead from the back, not the front. You have to let thinkers think. In fact, a lot of ideas are coming from the team members themselves. You have to allow them the opportunity to nurture that to find the right solutions of the future.\u201d<\/p>\n

Encouraging security teams to experiment with AI has a number of benefits. It motivates those teams to explore new AI technologies and methodologies, which can lead to new solutions for complex security challenges. It also promotes ongoing skill development, encourages teams to collaborate and share insights, and ultimately helps security teams understand how AI can support and align with broader organizational objectives and strategies. It can also give a boost to a worker\u2019s overall\u00a0employee experience, something CISOs and enterprise leaders are paying closer attention to in today\u2019s pressurized job market.<\/p>\n

As CISOs maneuver in the changing AI landscape, it\u2019s important that they assume a leadership role in the AI strategy of the organization, Kelly says. \u201c[CISOs] are no longer a back-of-house job. They need to have a full leadership role and the ability to work within an organization to anticipate what the company is doing and make those decisions about a strategic AI investment.\u201d<\/p>\n

Discover how Tanium Autonomous Endpoint Management can empower your IT and security teams to achieve real-time visibility, automated remediation, and enhanced operational efficiency across your entire endpoint environment.<\/a><\/p>\n

This article originally appeared in <\/em>Focal Point<\/em><\/a> magazine.<\/em><\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Everyone knows CISOs aren\u2019t really working that hard in those cushy offices. Heck, they\u2019re only thwarting\u00a0compliance\u00a0nightmares, blocking\u00a0costly cyberattacks, protecting employees from predatory\u00a0phishing emails, and now\u00a0dodging the feds. You know, just the little things needed to safeguard an organization\u2019s information assets. Kidding, of course. In fact, as\u00a0artificial intelligence (AI)\u00a0and\u00a0generative AI\u00a0(genAI) permeate and transform businesses,\u00a0chief information security […]<\/p>\n","protected":false},"author":0,"featured_media":3156,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3155"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3155"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3155\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3156"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}