{"id":8120,"date":"2026-05-12T09:01:00","date_gmt":"2026-05-12T09:01:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8120"},"modified":"2026-05-12T09:01:00","modified_gmt":"2026-05-12T09:01:00","slug":"cisos-step-into-the-ai-spotlight","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8120","title":{"rendered":"CISOs step into the AI spotlight"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Serving in the military requires a precise, tactical mindset, and that\u2019s exactly what Barry Hensley espoused during his 24 years in the US Army<\/a>, where he rose to the rank of colonel.<\/p>\n

The military \u201cis where you earn your stripes, showing your soldiers your willingness to jump into a foxhole and pick up a weapon,\u201d says Hensley<\/a>, CSO of Brown & Brown, an independent insurance brokerage firm.<\/p>\n

As a security leader in an industry that is constantly evolving, Hensley has leaned on that in-the-trenches approach as a key part of his leadership ethos, even as the CSO role has grown increasingly strategic.<\/p>\n

\u201cA security leader needs to be close enough to the tactical fight to effectively guide the organization\u2019s strategic direction, align with business goals, manage risk and investments, and influence culture,\u201d he explains.\u00a0Business units need to have confidence in a security leader\u2019s level of expertise in a specific security domain so the leader can properly represent the risks and investments required.\u00a0<\/p>\n

\u201cRolling your sleeves up in the middle of a security event is never a bad thing,\u201d Hensley adds. \u201cIt shows your willingness to lead from the front and\/or support in the most stressful situations.\u201d<\/p>\n

And increasingly stressful those situations have become, as the spotlight on CISOs has never shone more brightly. Now alongside increasing responsibilities that include data protection and privacy, third-party and supply chain risk, and regulatory compliance and reporting, CISOs must confront the rise of AI \u2014 both in the hands of bad actors and throughout the enterprise. And as the CISO role evolves and grows, many are rising to embrace the opportunity.<\/p>\n

According to Foundry\u2019s latest Security Priorities Survey<\/a>, 95% of top security leaders regularly engage with the board of directors multiple times a month, up from 85% in 2023.<\/p>\n

This is helping advance cybersecurity initiatives. The CISO\u2019s elevated prominence<\/a> is also leading to new reporting structures, the survey found, with 31% of respondents reporting that the top security leader reports directly into the board of directors. Only one in five respondents said their security chief reports into the corporate CIO, \u201canother sign that cybersecurity commands its own infrastructure and leadership outside of IT.\u201d<\/p>\n

CSO spoke with Hensley and other 2026 CSO Hall of Fame inductees<\/a>, about how they are governing as AI initiatives become firmly rooted in the enterprise.<\/p>\n

Implementing an AI security framework<\/h2>\n

AI is a core component of Brown & Brown\u2019s security strategy: enhancing SOC operations, streamlining vulnerability management, determining the risks\/rewards of third- and fourth-party partnerships, and boosting security application development, Hensley says.\u00a0<\/p>\n

\u201cFor 2026, publishing an AI security framework is our top priority to enable the business to move fast \u2014 safely,\u201d he says. His staff is partnering with the firm\u2019s AI engineering and enablement teams to perform AI risk assessments and ensure that AI is fit for purpose and used responsibly through the company\u2019s AI Governance Working Group.<\/p>\n

\u201cAI is top of mind for our leaders and a prominent topic with the board of directors, serving as a key consideration and differentiator for our business,\u201d Hensley says.<\/p>\n

Companies need governance frameworks that\u00a0require\u00a0security\u00a0reviews before\u00a0any AI capability is deployed,\u00a0agrees Shaun Khalfan<\/a>, senior vice president and CISO of PayPal. This ensures use cases are\u00a0evaluated against security\u00a0requirements, data sensitivity, operational\u00a0risk, and business impact.<\/p>\n

\u201cThis is why I\u00a0am a strategic business advisor\u00a0for major AI business\u00a0decisions\u00a0at PayPal,\u201d says Khalfan, whose team is applying advanced risk detection technology and oversight, including machine learning models\u00a0running in real-time that evaluate over a billion transactions per month.\u00a0<\/p>\n

The work\u00a0includes\u00a0maintaining\u00a0tight\u00a0risk and business\u00a0alignment,\u00a0incorporating new products into existing compliance and risk\u00a0frameworks,\u00a0and\u00a0adapting\u00a0them to\u00a0the\u00a0unique characteristics\u00a0of\u00a0each\u00a0product, he says.\u00a0<\/p>\n

Move fast, keep risk at bay<\/h2>\n

Like Hensley, Jeff Trudeau<\/a>, CSO of Chime, says the role is fundamentally shifting from a control function to a strategic partner in how the business adopts AI responsibly. At Chime, that means being embedded early in how AI is built and deployed, not reviewing it after the fact, Trudeau says.<\/p>\n

\u201cWe\u2019re focused on three areas: securing AI systems themselves, governing how AI is used across the company, and helping leadership make clear risk\/reward decisions as we scale,\u201d he says.<\/p>\n

Noting that AI increases both speed and surface area, Trudeau says his role is to ensure the firm can move fast without introducing unacceptable risk. \u201cThat requires tighter integration with engineering, product, and data teams, as well as more direct engagement with executive leadership and the board on how AI changes our risk posture.\u201d<\/p>\n

Khalfan also characterizes himself as a strategic CISO with a strong operational and engineering foundation. He strongly believes that a\u00a0well-defined security strategy\u00a0aligned to business goals<\/a> is essential for the success of any cybersecurity organization.<\/p>\n

\u201cSecurity cannot\u00a0operate\u00a0as a separate\u00a0function;\u00a0it must be embedded in how the business grows, innovates, and\u00a0continues to\u00a0earn trust,\u201d he says, adding that \u201cstrategy without execution is just theory. We\u00a0operate\u00a0in a threat landscape that changes daily, and there\u00a0are\u00a0moments when tactical action is critical to\u00a0managing\u00a0immediate\u00a0risk.\u201d<\/p>\n

Rapid AI adoption is a perfect example, he says. Echoing Trudeau, Khalfan believes the CISO must help the organization move fast while still protecting customers, data, infrastructure, and\u00a0reputation.<\/p>\n

\u201cThe best CISOs know how to balance both,\u00a0thinking long-term while acting decisively in the short term,\u201d he says.\u00a0<\/p>\n

All roads lead back to trust\u00a0and strong governance, he notes. \u201cTrust is the foundation of both technology and business. You must build trust in the system across customers, merchants, partners, and infrastructure\u00a0to ensure\u00a0AI and agent-driven transactions are\u00a0reliable, secure, and verifiable.\u201d<\/p>\n

AI is creating the greatest security challenges<\/h2>\n

For Trudeau, the biggest challenge of the burgeoning AI era is the pace of change. AI is accelerating how software is built, how attacks are executed, and how quickly systems evolve. Traditional security models, periodic reviews, and static controls don\u2019t keep up, he says.<\/p>\n

\u201cWe\u2019re addressing that by shifting to more continuous, embedded security practices. That includes integrating security into development workflows, investing in detection and response capabilities that adapt in real-time, and building stronger data governance around how sensitive information is accessed and used by AI systems,\u201d Trudeau says.<\/p>\n

At the same time, the focus is on maintaining trust at scale. \u201cAs we introduce more AI-driven experiences, we have to be clear about how systems behave, how decisions are made, and where human oversight remains,\u201d Trudeau says. \u201cThat\u2019s as much a product and trust challenge as it is a technical one.\u201d<\/p>\n

AI is also impacting what Brown & Brown is seeing with phishing campaigns, notes Hensley. \u201cAI is maturing in its ability to impersonate individuals, both voice and video, while quickly generating supporting documents to further convince teammates that a fraudulent request is genuine.\u201d<\/p>\n

A preview of Anthropic\u2019s Mythos release shows that AI can now rapidly discover previously unknown vulnerabilities<\/a> and automate their exploitation, Hensley says. \u201cThis changes the paradigm. Vulnerability management will likely become a higher priority for organizations as they cannot wait weeks to patch hosts based on a perceived risk tolerance of mitigating controls.\u201d<\/p>\n

Most organizations will have to empower their IT platform providers to deploy automation for near-real-time patching \u2014 while holding them accountable for the contracted service-level availability, he says.<\/p>\n

Managing identity, data, and humans<\/h2>\n

AI is not the only challenge CISOs have to contend with. Khalfan says that identity, data security, and context are\u00a0his most important challenges to solve for.<\/p>\n

\u201cIdentity is becoming more\u00a0complex, as humans, machines, APIs, and autonomous agents all interact with critical systems,\u201d he says. \u201cKnowing who \u2014 or what \u2014 is\u00a0requesting\u00a0access and\u00a0ensuring the right level of trust and least privilege is fundamental.\u201d<\/p>\n

Context is\u00a0the multiplier, Khalfan adds. \u201cSecurity decisions without business context create unnecessary friction,\u00a0and\u00a0business decisions without security context create unnecessary\u00a0risk.\u00a0Security leaders\u00a0must\u00a0create\u00a0systems that make both visible in\u00a0real-time.\u201d<\/p>\n

To\u00a0execute, his team focuses heavily on getting the fundamentals right: strong data governance, dynamic policy tuning, continuous validation of the control environment, frequent deployment of security improvements, and designing controls that are\u00a0embedded into workflows rather than added afterward, Khalfan says.<\/p>\n

\u201cSecurity at scale is less about isolated controls and more\u00a0about building\u00a0resilient systems that continuously adapt,\u201d he says.<\/p>\n

As much as AI has added new trials, Hensley finds that the human element, along with the expanding attack surface, remain the greatest security challenges.\u00a0This includes the arms race between attackers and defenders.\u00a0\u201cSophisticated social engineering is at an all-time high, challenging our teammates to be not only vigilant but also often the first line of defense,\u201d he says.<\/p>\n

To stay ahead, \u201cwe are tackling from all angles, including security awareness training, enabling new advanced AI features in our security tools, and taking more proactive actions on behalf of our teammates based on risk\/reward evaluations,\u201d Hensley says.<\/p>\n

Hall of Fame advice on meeting the current CISO moment<\/h2>\n

Meeting today\u2019s cyber leadership challenges requires CISOs to lead from the front \u2014 something both Hensley and Khalfan practice. That means only adopting AI that is secure\u00a0and trusted. \u201cSecurity should not be the department of \u2018no\u2019; it should help business partners move faster with confidence, Khalfan says.<\/p>\n

Leading from the front also means challenging the status quo, and viewing yourself as a business partner\/risk advisor, Hensley says.<\/p>\n

For Trudeau, it\u2019s about being able to translate risk into business terms.<\/p>\n

Stay close to the business.<\/strong> \u201cIf you do not understand how your company creates value, you cannot effectively protect it,\u201d Khalfan says.\u00a0\u201cSecurity leaders need to speak the language of growth, customer trust, and operational\u00a0resilience,\u00a0not just technical\u00a0risk.\u201d<\/p>\n

Trudeau agrees, saying that security leaders must align their work directly to business outcomes. \u201cIf security is seen as separate from growth, you\u2019ll always be reacting instead of shaping decisions.\u201d<\/p>\n

Be the enabler.<\/strong> \u201cThe best CISOs help the business move faster and safer, not slower,\u201d Khalfan says. \u201cYour job is not to create friction\u00a0everywhere;\u00a0it is to create friction where the risk is highest and remove it where trust can be increased through better design.\u201d<\/p>\n

Engage early.<\/strong> \u201cThe earlier security is involved in product and AI development, the more leverage you have to influence outcomes without slowing teams down,\u201d Trudeau notes.<\/p>\n

Khalfan echoes that, saying that data security, identity, and observability are the foundations\u00a0on which trusted AI systems are\u00a0built.\u00a0Business and cyber teams must work hand in hand to ensure\u00a0those outcomes are\u00a0achieved, he says.\u00a0<\/p>\n

\u201cWhether it is defending against AI-enabled threats, protecting AI infrastructure, or evaluating the\u00a0risk\u00a0and\u00a0reward of AI innovation, security\u00a0must\u00a0be involved early,\u00a0not after deployment,\u201d he adds.<\/p>\n

Stay proactively compliant.<\/strong> Khalfan says that PayPal\u2019s security organization continually\u00a0monitors and\u00a0updates\u00a0its governance\u00a0and requirements based on the evolving regulatory\u00a0frameworks.<\/p>\n

Solve business problems. <\/strong>This is a sure-fire way to meet the today\u2019s cyber challenges and raise your profile as CISO. \u201cWhen security becomes a driver of trust, speed, and competitive advantage, your seat at the table becomes permanent,\u201d Khalfan says.<\/p>\n

For example, Khalfan drove company-wide bot protection initiatives, a collaborative, multi-team effort that enhanced fraud prevention. It greatly reduced fraudulent traffic at the top of the process, resulting in higher quality customer engagement, he says.<\/p>\n

Talk the talk. <\/strong>If you want to understand how to secure\u00a0AI, you need to actively use\u00a0AI, Khalfan stresses. \u201cSecurity leaders cannot govern what they do not understand. Hands-on experience creates credibility and better decision-making,\u201d he says.<\/p>\n

This often requires investing in fluency beyond security to understand how AI systems work, how your company builds products, and what leadership cares about, Trudeau says.<\/p>\n

Build credibility through consistency.<\/strong> \u201cAs the scope of the role expands, especially with AI, leaders are looking for clear, pragmatic guidance, not theoretical risk models,\u201d Trudeau says.<\/p>\n

There\u2019s no \u2018I\u2019 in team<\/h2>\n

A core part of rising to today\u2019s challenges and elevating your CISO role requires security leaders to bring your teammates along. They will always be your greatest resource, Hensley says.\u00a0<\/p>\n

\u201cMy military experience is part of my DNA and has shaped every part of my life, especially how I think of teammate development, building highly cohesive functioning teams, and prioritizing what is most important,\u201d he says.<\/p>\n

So many things in life will come and go, but your impact on others will impact generations, Hensley adds. They carry your values forward from culture, ethics, and standards.<\/p>\n

\u201cMy legacy will be the teammates that I have served alongside through my career,\u201d he says. \u201cI encourage security leaders to focus on the impact you can make on your team every day \u2014 it will ultimately serve to elevate your profile and leave a lasting mark.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Serving in the military requires a precise, tactical mindset, and that\u2019s exactly what Barry Hensley espoused during his 24 years in the US Army, where he rose to the rank of colonel. The military \u201cis where you earn your stripes, showing your soldiers your willingness to jump into a foxhole and pick up a weapon,\u201d […]<\/p>\n","protected":false},"author":0,"featured_media":8108,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8120"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8120"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8120\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8108"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}