Security at AI speed: The new CISO reality

The CISO role has changed significantly over the past decade, but according to John White, EMEA Field CISO, Torq, the most disruptive shift is accountability driven by agentic AI. In this Help Net Security interview, White explains how security leaders must design and govern hybrid workforces where humans and AI agents operate side by side, making decisions and acting at scale. He notes that automation is moving beyond simple task execution into real-time insight and response.

AI agents take on greater responsibility, but CISOs remain accountable for outcomes, and even for inaction when organizations fail to adopt and govern machine-speed security capabilities.

What part of your job today would a CISO from 10 years ago barely recognize?

The CISO’s role has evolved so much over the past ten years, but I think the biggest shift I’ve seen would be in what we consider to be the Security Target Operating Model, and specifically, the emergence of the agentic workforce.

Ten years ago, every org chart looked the same, a traditional tree-like structure depicting tiers of responsibility and specialist silos. Recruiting talent meant competing for scarce analysts and engineers to fulfill each vertical.

Today, it means designing, governing, and trusting a hybrid workforce of humans and AI agents. As CISOs, hiring people based upon whether they are a “good fit”, But we’re also deciding which decisions can be safely automated, which require human judgment, and how AI agents can move beyond task automation to deliver insight at scale – not just into threats, but into the effectiveness of our core security fundamentals.

The biggest shift isn’t tooling, we’ve always had to choose our platforms carefully, it’s accountability. When an AI agent acts at scale, the CISO remains accountable for the outcome. That governance and operating model simply didn’t exist a decade ago.

Equally, CISOs now carry accountability for inaction. Failing to adopt and govern AI-driven capabilities doesn’t preserve safety, it increases exposure by leaving the organization structurally behind.

The CISO role will need to adopt a fresh mindset and the skills to go with it to meet this challenge. In my new role at Torq as Field CISO, one of my key goals is to help ensure they understand the ongoing evolution unfolding and why the agentic AI model is critical to their success.

What’s one example where you had to compromise on security controls because of revenue, customer experience, or time-to-market pressures?

All businesses have similar challenges, but I think the retail sector was where I saw my clearest example.

In online environments, development velocity often outpaced the maturity of emerging security controls. I’ve faced situations where delaying a launch to embed a new control would have materially impacted revenue during peak trading periods.

The compromise was never “ignore security.” Instead, it meant shifting from preventative to detective and compensating controls, accepting short-term risk with explicit guardrails, enhanced monitoring, and a defined remediation window. The critical point is that the trade-off is intentional, visible, and time-bound.

Risk management is about making informed, conscious decisions that enable the business to move forward safely.

What is the most common board question about cybersecurity that you wish they would stop asking?

Can you quantify all of our cyber risks?

It’s a backward-looking question in a world where risk is increasingly non-linear and fast-moving. While quantification has value, seeking precision based on historical data before ensuring strong controls, ownership, and response capability creates a false sense of confidence.

It anchors discussion in technical debt and past trends, rather than aligning leadership around emerging risks and sponsoring a bolder strategic leap through innovation. That forward-looking lens drives better strategy, faster decisions, and real organizational resilience.

How do you evaluate security products today differently than you did five years ago?

Five years ago, evaluation centred on features, coverage, and integration into human-led processes. That mindset is no longer sufficient. I start by asking whether a product can operate safely, transparently, and governably at machine speed while delivering business outcomes.

I assess whether a product is intuitive to operate and capable of acting autonomously within clearly defined constraints, while still providing real-time observability and assurance. With the emergence of a new benchmark in machine-speed, any tool that depends on constant human intervention quickly becomes a bottleneck rather than a defence. If it can’t eliminate friction in execution and decision-making, it simply won’t scale against machine-driven threats.

Equally important is how the product reshapes the organization itself.

I look for technologies that reduce cognitive load on teams, interpret volumes of data to surface insights we couldn’t previously access, and move beyond detection to recommend and, where appropriate, implement improvements. The strongest platforms can also measure and report on their own effectiveness and value, turning security from a reactive function into a continuously optimising system.

There’s urgency here. Attackers already operate at machine speed, and organizations still optimising human workflows are structurally and technologically falling behind. Security platforms are fast becoming organizational design decisions.

The winners will be those who make the mindset leap early: structuring teams around outcomes, automating execution, applying human judgment where it matters most, and maintaining clear accountability before the risk curve overtakes them.

How do you convince the business that “vendor convenience” can become an existential risk?

I reframe the discussion away from security tooling and toward control, resilience, and organizational dependency, particularly the hidden risk of over-relying on large incumbents. Convenience often comes from consolidating capability into familiar platforms, but in many cases those platforms were never designed to operate autonomously at machine speed. Instead, the necessities of AI and automation are bolted on, while decision-making, execution paths, and recovery mechanisms remain opaque and externally governed.

When a large incumbent experiences an outage, breach, model drift, or regulatory intervention, the business doesn’t degrade gracefully, it fails hard. The illusion of safety disappears quickly when you realise you don’t own the kill switches, can’t constrain behaviour in real time, and don’t control the recovery path. Vendor scale does not equal operational resilience.

This was starkly evident in 2025, when multiple large enterprises were impacted by Scattered Spider and supply-chain attacks. Even the most mature security teams were stretched to breaking point, with many attacks exploiting human-centric weaknesses. Now consider the impact of a comparable attack driven by AI, adapting and moving at machine speed.

That’s why I’ve always been highly selective about what capabilities are delivered in-house versus those provided by trusted partners. Regardless of vendor choices, incident response speed and recovery capability must be ready.

The questions businesses must ask themselves are:

• If this vendor stopped functioning tomorrow, how quickly would revenue, trust, or safety be impacted, and what levers would we have?
• How do we evolve our capabilities to react with machine-speed equal to that of our adversaries, and how much of this response can be automated versus relying on traditional human based processes?

This usually changes the conversation quickly.

Download: Tines Voice of Security 2026 report