How do you think about where the CISO role is heading?
For companies that are embracing AI, the role is changing drastically. Most of my peers who have been CISOs for years are hesitant to use it, and I think that hesitancy is a real downfall. AI is the best weapon we have ever seen in cybersecurity. We are working toward being able to deliver vulnerability-free code before it ever reaches production. I could not have said that a few years ago. The technology simply was not there.
What that means for the role is that the CISOs who embrace AI are going to need to be one part security leader and one part engineer. Half AI engineer, half developer. You need to understand what the tools are producing and what they are capable of, because you are essentially creating applications all day long. Leading a team of security engineers who are also developers is the future of this space, and I think we are getting there faster than most people expect.
The lines between CISO and Chief AI Officer are blurring. A CISO who truly embraces AI and an AI officer who takes security seriously are, at this point, almost the same role.
You came to the CISO role with an MBA and a background in product and software development alongside your security credentials. That is not the typical profile. How has that broader background shaped your work, and do you think the role demands more business fluency than most organizations assume when they are hiring?
Business fluency is a huge part of being an effective CISO. Many of the most technically skilled security leaders struggle precisely because navigating a board and navigating an executive team is essential to getting things done. There is a certain style in security culture that leans on fear, uncertainty, and doubt to drive decisions. That approach has its place, but it will only take you so far. Being able to understand what the business wants and needs, and then securing around that, is a tremendous advantage.
At the same time, you cannot skip the technical depth. Missing that makes you a pretty ineffective CISO, because you do not really understand the risks you are managing. Being a CISO is playing with fire all day long. If you know what you are doing, you understand the impacts, you know what could go wrong, and you know what to do when it does. Without that, it can go very badly. I have watched it go badly for people. You need both to be successful.
Most of the security conversation right now is dominated by AI. What I want to know is what forward-thinking CISOs should be doing today to prepare for the risk that quantum computing may soon pose.
Quantum is a tough one, and the reason is structural. CISOs are, by nature, focused on the current fire. Someone once described the role to me as being dropped into the middle of a forest fire and tasked with finding the edge of it. If something is not urgent and critical, most of us are not paying close attention to it, unless we are being deliberately strategic.
Quantum falls into that category right now. We know it will eventually break most encryption. The quantum-ready encryption standards being developed are theoretically sound, but we do not yet know for certain how they will hold up. Updating cryptography, moving to passkeys, strengthening two-factor authentication, all of that will need to happen, and it is manageable work. Smart people are already figuring out the standards, and the rest of us will adopt them.
My honest read is that cryptocurrency will be the first target when capable quantum arrives. The first country to get there will probably go after Bitcoin, and the noise that creates will give everyone else time to get their encryption in order.
What boards should be doing is asking their CISOs what they plan to do about it. CISOs should have their finger on the pulse. As best I understand it, there are roughly eight foundational problems quantum needs to solve, and about half of them have been cracked. We have some time. And there is a useful side effect of navigating the current AI moment. The speed and adaptability it is forcing on security teams is exactly the preparation you need. A CISO who survives this period will be well positioned when quantum arrives.
The boundary between security and product engineering seems to be shifting. How do you think about where security’s responsibility ends and engineering’s begins?
They are two sides of the same coin, and that will not change. Product engineering is focused on making things work well and improving the experience. Security is focused on probing the edges of how things are built and finding the gaps that functional engineers are not looking for. Both perspectives are necessary, and neither is better than the other. They are just different.
Early in a CISO career, that tension can be difficult to navigate. Security teams showing up to tell engineers they have done something wrong is not a welcome conversation, and the underlying fight is usually about time and resources. Learning to reframe that relationship, to show up as a partner rather than an audit function, is one of the harder things a CISO has to figure out. It took me years to get right.
What has accelerated that shift, beyond experience, is AI. Work that used to consume weeks of engineering time can now be done in minutes. When security stops being a bottleneck, the conversation with product teams changes entirely, and the walls that used to define that relationship start to come down on their own.
Trust is the key to getting there. Understanding what drives product teams, what they resist, and becoming a partner to them rather than an opposing force is how you build trust and, through that, get things done. Simple in concept, but not easy in practice.
If you were sitting in a room full of CEOs and board members about to conduct a CISO search, what should be on their radar that might not be?
Creativity and the ability to pivot. Those are the qualities most often overlooked.
The risks that CISOs will be managing later this year are ones we have barely begun to think about. A year ago, agentic AI and what it could do inside an enterprise environment when connected to everything through something like an MCP server was not a risk most security teams were thinking carefully about. Six months ago, it barely appeared on anyone’s radar. The pace at which new threat surfaces are appearing is extraordinary, and the CISO of the future needs to be someone who can quickly learn a new technology, test it, figure out how to secure it, and then implement that security in a way that does not stifle the innovation the business is trying to pursue.
That requires real creativity. The interesting thing is that the traditional path into security, hacking, pen testing, red teaming, builds exactly that kind of thinking. You look at a problem and you find unexpected ways through it. That instinct is directly transferable. CISOs growing out of those backgrounds are still a strong pipeline.
But boards need to be looking for those creative and adaptive qualities explicitly, not just checking for technical credentials or years of experience. Technical acumen matters, but it is table stakes. What will separate the CISOs who thrive from those who do not is the ability to operate in conditions that did not exist when they started the job.