Why AI alone won’t save the CISO

If like me you sit in enough board meetings, you’ll hear the same question emerge again and again: “Can’t AI solve this?” It’s a tempting idea and it is true that it can be a very valuable tool in the security leader’s toolbox. With the right tooling, the right model, the right automation pipeline, we can finally take the pressure off by automating at scale and the pace never seen before. But it is only part of the solution. Sure, AI can accelerate detection, streamline triage, and surface patterns faster than most analysts, but does it understand nuance, context, proximity and business value? Can it carry accountability, and can it take control when things go off script or adapt and change due to business need? At best, AI is an assistant. At worst, it’s a new attack surface we’ve barely begun to understand.  Prompt injections, model poisoning, and data leakage are just some of the threats outlined in OWASP’s top ten risks and mitigations in 2025. So, if AI is watching your security, who’s watching the watcher?

What’s more concerning is what this narrative does to the talent pipeline. As we automate more of the entry-level work, we risk eroding the very foundation we need to grow the next generation of cyber professionals. Junior analysts aren’t just headcount, they’re future CISOs in training. When they’re replaced with automation rather than upskilled alongside it, we’re solving today’s resourcing problem at the cost of tomorrow’s leadership. And the cycle of burnout continues. Innovation in AI is something to be taken seriously, but we need to be clear-eyed about what it can and can’t fix. Over my career I have learned that my key asset is the talent that exists within my team, and focus is needed on how you recruit, select, nurture and promote your team so they can succeed in their roles. That brings quality, loyalty and exceptional customer focused service.

Perhaps it’s time to redefine “CISO”?

There was a time when the CISO’s remit was fairly defined; keep the bad actors out, keep the systems patched, and keep the auditors happy. Halcyon days for many CISOs. Today, their role spans everything from regulatory alignment and third-party risk to crisis comms, customer reassurance, and boardroom education. They aren’t just guarding against threats. They’re handling fallouts, preserving reputations, and juggling increasingly high expectations, managing budgets, solving technical debt and telling business aligned stories. In a lot of cases, they’re also the “face of resilience” for the business. So, is “Chief Information Security Officer” even still fit for purpose? If the responsibilities have outgrown the original mandate, maybe it’s time the role evolved too. “Chief Resilience Officer” might not roll off the tongue, but it’s closer to reality, and it signals something the business needs to hear that security is about continuity, trust, and long-term stability, not just tools and tech.

What is power without autonomy?

You can give someone the responsibility, but if you don’t give them the authority to match, it’s not leadership, it’s liability. That’s exactly the position many CISOs find themselves in 2025. They are tasked with protecting the organisation from existential risk yet still report into IT leadership structures that weren’t designed for independence, oversight, or challenge. When the CISO reports to the CIO, there’s often a built-in conflict of interest: the person responsible for securing the infrastructure answers to the person responsible for delivering and optimising it. The CIO may – intentionally or not – prioritise functionality, availability, and performance, while the CISO may need to slow things down to patch vulnerabilities, harden systems, or push back on risky deployments. If the CISO lacks independence, security decisions may be overridden, downplayed, or even outright deprioritised in favor of delivery timelines or budget goals.

This isn’t a clash of egos though, it’s more about governance. Reporting lines shape how risk is prioritised, how budgets are allocated, and how candid a CISO can be when something needs to be said. If security is genuinely a board-level concern, which it should be, then the CISO needs a line into the board, or at least the audit committee, that isn’t filtered through operational layers.

There’s a broader cultural implication, too. When CISOs are treated as subordinates to IT, it sends a message that cybersecurity is a technical function rather than a strategic and business aligned one. And that message filters down fast into hiring, funding decisions, and how incidents are handled when the pressure rises. If organisations want security leaders to act as business enablers and crisis navigators, they need to stop placing them in a structure that ties their hands but instead allows them to lead the business in times of crisis, growth or significant change. Elevating and celebrating individuals is essential but also building a system that is designed to let them succeed rather than hold them back will ensure future leaders can be retained in an organisation and the industry as a whole. Most importantly, they will maintain good mental health in a place where they feel supported and valued.

Tim Grieveson, CSO at ThingsRecon