So You’re a Security Leader in the Age of AI. Now What?

In my last post, I asked whether the traditional CISO role should even exist anymore. That wasn’t me trying to be provocative  — I meant it. And I know a lot of executives are wrestling with the same kind of question.

Here’s the thing: AI is going to cause a fundamental shift in how software is written, how businesses operate, and yes, how security should operate. Generative AI applications can already investigate potential alerts, draft entire security strategies, plan and execute basic pen tests, and even coach engineers on writing safer code. A decent prompt in ChatGPT can get you something as good as what many CISOs would have produced after weeks of effort (DM me and I’ll send it to you 😉).

So the real question isn’t whether AI will disrupt cybersecurity — it’s whether we as leaders will adapt fast enough to benefit from it.

Where CISOs Need to Evolve

If you’re still approaching AI tech as a compliance exercise or a DLP headache, you’re missing the point. Forward-looking CISOs are reframing their playbooks in three big ways:

1. Pushing Security out of Security

Security has long been centralized — policies, approvals, signoffs. But AI makes it possible to push decision-making and help closer to the problem. Think application security guidance that shows up directly in PRDs or an engineer’s IDE. Think penetration testing that is better, faster, and cheaper than the bargain basement work many firms sign onto for their SOC2. The job of the CISO isn’t to hoard control, but to federate it and to equip teams across the company with AI-driven capabilities that let them take responsibility for the org’s security posture.

Want to take the first step here? Try getting a group of security champions together from across the business and asking them where they are currently bottlenecked on security, then go find or build a capability you can put in their hands that takes the security team out of the loop.

2. Reduce Friction for the Business

One of the fastest ways to make security irrelevant is to slow people down. AI flips that. Done right, it empowers employees to get security answers on their own, without waiting on a ticket. It helps customers self-serve information without an endless loop of forms and reviews. In other words: security as enablement, as a service that supports the org, instead of obstructing it. 

Where to start? Why not create a chatbot to answer questions about security policies and standards? Give it access to your policy docs, standards, audit reports, maybe examples of IaC templates from your code repos, etc. and let folks ask it when they need to find out whether your password policy meets NIST 800-63b or not.

3. Rethink the SOC (and Incident Response Entirely)

For years, building a SOC was a milestone achievement for a CISO — a sign you’d “made it.” But SOCs are inherently expensive, MSSPs rarely deliver everything you’d want, and let’s face it, success can be hard to measure (are you just that good, or is nothing happening?). In an AI-first program, machines can evaluate alerts in real time, learn from human analysts, and take automated actions on your behalf. The point isn’t to eliminate humans, it’s to stop wasting them on the boring, repetitive stuff so they can actually have a fighting chance against skilled attackers. Imagine a security operations function that scales without the headcount curve, and actually lets your people hunt for the complex threats that matter.

A New Kind of Security Leadership

So, do we still need CISOs? Yes. But not the kind that only show up at audit committee meetings with a deck of acronyms and incident counts. We need real change leaders. We need executives who can take advantage of disruption rather than fear it. CISOs who understand the assignment and know that the success isn’t in producing more reports, but in fundamentally changing how the practice of security is done to build programs that are effective, efficient, and create value for their orgs

The CISOs who get this right won’t just reduce risk. They’ll help their employers move faster, serve customers better, and open new doors for growth. They’ll prove that security can be an accelerator, not an anchor.

That’s the job now. And if you’re a CISO, it’s time to start acting like it.

-Quincy Castro, Chief Information Security Officer, Chainguard

For more supply chain security musings and ready-to-use resources from the Chainguard team, sign up here for our monthly newsletter.