CISOs Step into the AI Spotlight
CISOs Step into the AI Spotlight 🚀
The spotlight on CISOs has never shone more brightly, with new responsibilities that include data protection and privacy, third-party and supply chain risk, and regulatory compliance and reporting. CISOs must confront the rise of AI – both in the hands of bad actors and throughout the enterprise. According to Foundry’s latest Security Priorities Survey, 95% of top security leaders regularly engage with the board of directors multiple times a month, up from 85% in 2023. The CISO’s elevated prominence is also leading to new reporting structures, the survey found, with 31% of respondents reporting that the top security leader reports directly into the board of directors. Only one in five respondents said their security chief reports into the corporate CIO, “another sign that cybersecurity commands its own infrastructure and leadership outside of IT.”
AI is a core component of Brown & Brown’s security strategy: enhancing SOC operations, streamlining vulnerability management, determining the risks/rewards of third- and fourth-party partnerships, and boosting security application development, Hensley says. “For 2026, publishing an AI security framework is our top priority to enable the business to move fast – safely,” he states. His staff is partnering with the firm’s AI engineering and enablement teams to perform AI risk assessments and ensure that AI is fit for purpose and used responsibly through the company’s AI Governance Working Group. Shaun Khalfan, senior vice president and CISO of PayPal, agrees that companies need governance frameworks that require security reviews before any AI capability is deployed. This ensures use cases are evaluated against security requirements, data sensitivity, operational risk, and business impact. Jeff Trudeau, CSO of Chime, says the role is fundamentally shifting from a control function to a strategic partner in how the business adopts AI responsibly. He adds, “We’re focused on three areas: securing AI systems themselves, governing how AI is used across the company, and helping leadership make clear risk/reward decisions as we scale.”
For Trudeau, the biggest challenge of the burgeoning AI era is the pace of change. AI is accelerating how software is built, how attacks are executed, and how quickly systems evolve. Traditional security models, periodic reviews, and static controls don’t keep up, he says. AI is also impacting what Brown & Brown is seeing with phishing campaigns, notes Hensley. “AI is maturing in its ability to impersonate individuals, both voice and video, while quickly generating supporting documents to further convince teammates that a fraudulent request is genuine.” A preview of Anthropic’s Mythos release shows that AI can now rapidly discover previously unknown vulnerabilities and automate their exploitation, Hensley says. “This changes the paradigm. Vulnerability management will likely become a higher priority for organizations as they cannot wait weeks to patch hosts based on a perceived risk tolerance of mitigating controls.” Khalfan also says that identity, data security, and context are his most important challenges to solve for. He explains, “Identity is becoming more complex, as humans, machines, APIs, and autonomous agents all interact with critical systems.” Hensley finds that the human element, along with the expanding attack surface, remain the greatest security challenges. “Sophisticated social engineering is at an all-time high, challenging our teammates to be not only vigilant but also often the first line of defense,” he concludes.