Explore Our Latest Resources Tevora Resource Center

Dark teal and black gradient

Webinar

AICISO

2026: The Year of ‘Now What?’

As organizations move into 2026, cybersecurity and AI risk are firmly on the board’s radar, but competing priorities, limited time, and executive fatigue make meaningful engagement harder than ever. Budgets remain tight, automation and AI dominate conversations, and security leaders are under increasing pressure to cut through the noise and drive real impact. Cyber risk has attention, just not airtime. The challenge for CISOs and risk leaders is knowing what to elevate, how to frame it, and how to ensure their message resonates with decision makers who are focused on outcomes, tradeoffs, and business impact. So how do security leaders move from awareness to action when every conversation feels compressed? In this expert led discussion, Tevora brings together Executive Consultants Carlos Phoenix and Dr. Bryan Mitchell for a practical conversation on communicating evolving cyber and AI risk to the board. Moderated by Ashli Pfeiffer, Managing Director at Tevora, the session explores how CISOs can better align expectations, build allies, and drive meaningful outcomes at the executive level.

Key Takeaways:

  • How to align board and executive expectations with today’s cybersecurity and AI risk reality
  • Ways to bring AI risk into board conversations in clear and appropriate terms
  • Proven engagement methods that lead to more meaningful board level impact
  • Tactics to strengthen CISO relationships and reduce resistance
  • Shared lessons learned to help de risk the CISO role
  • How to optimize board time by centering discussions on decisions, tradeoffs, and business outcomes

Whether you are preparing for your next board discussion or refining your long term communication strategy, this session offers practical insight into navigating executive conversations with confidence in 2026.

Welcome to the 2026 the year of now. What this means is we’ll be talking about today really working through that threat landscape to engage the board on risk and AI, some of those hot topics that we as the CISOs, or other various roles within cybersecurity we’re dealing with. I’ll lead us through some introductions to get started, so you know who the three of us are talking about. I will be the moderator of the panel discussion that I will lead you through. We’ll do a lightning round with some quick questions, and then open it up to Q&A. That Q&A is from you the audience, so please, please, please, audience members, as you have questions, please use that functionality on your screen to enter a question. If you’re comfortable with it, feel free to add a little context, like maybe what industry your company is in, or size of your company, things like that, so we can help tailor our answers. But if not, it’s okay. There’s also that anonymous question option. Just put them in there, and we will get to those in the end. As we are going through this, we will have some poll questions, so stay tuned. You’ll see those pop up on your screen. Click on those answers as you get them. On to introductions. First thing is to introduce you to is the company, this is a webinar hosted by Tevora. And who is Tevora? We’re an industry leading expert within the cybersecurity space. We really value our partnership with our clients. We work on those relationships long term, not just a check the box. Now exercise, which is shown through our long-standing client relationships and through our own work in cyber security. These are all the different services that we work in. You can see all those on there. We offer those different attestations. You see those logos. We’ve got a lot of rewards, of course, assessors who go across everything from PCI to FedRAMP, we really value that partnership, which means that we have to hold ourselves to the same standards that we’re asking you to hold with that security practice. Moving on. Introductions of ourselves. My name is Ashley Pfeiffer. I’m delighted to be here today as the moderator of this session, I work at Tevora as a managing director within our various compliance and consulting practices. I have been with Tevora for about nine years now, and have loved what I do. Originally hail from the Midwest but now reside out here at our headquarters in Southern California, and I focus these days, most of my time within the SOC compliance world, but as always, in our space of cyber security, there’s a little bit of everything, Carlos, I’ll pass it over to you.

Hello, everybody. My name is Carlos Phoenix, and I previously was the product CISO at VMware for eight years, I’ve worked at KPMG, Deloitte, cognizant and coal fire. I really like to see a variety of industries and work with customers. I especially have been spending more time and looking into cyber security and AI and board management. Now on to you, Brian.

It’s great to meet you. My name is Brian Mitchell. I’m the Chief Information Security Officer for groups 360 in Brentwood, Tennessee, but I’ve also had the privilege to work with the team at Tevora from time to time, formerly the CISO at Autozone. I also work for Kuna novel AG, as well as FedEx Corporation. It’s great to be here today.

We’ll get into our first question. What really is a CISOs role regarding a board of directors and Brian, I’ll kick it to you first to answer.

As it pertains to the board members, CISOs, role is to support the board’s fiduciary duties, to represent shareholder interests while ensuring legal and ethical compliance from a cybersecurity GRC or even regulatory perspective, how this occurs? Members really depend on several factors. The CISO, the executive committee and leadership team, and the board and board members aligning with the board can be deeply rooted in company culture. I mean, board members backgrounds and experience, as well as industry alignment, can also be affected by reporting relationships, such as having a dotted line to the board or not the industry the company operates in regulatory elements or compliance the personalities of all involved, and most importantly, trust and how trust is established. A CISOs job is to reduce risk and to ensure that all parties understand how the investments being made in security benefit the company and all stakeholders, and that includes the board. Figuring out how to establish a common operating picture with the board is immeasurably important. Carlos, what are your thoughts?

I think that is correct. I think the governance, risk and compliance, if we kind of dissect with the GRC term, a lot of times we’re really focused on risk and compliance. There’s also the G in GRC, which is governance, and that includes controls, and it includes risk appetite and knowing how to evaluate paths that you’re taking. I think a CISOs role is to look at those three aspects of GRC and to try to find balance in them. Of course, the CISO is oftentimes really focused on making sure there’s no negligence, so you’re signing contracts with third parties, you are providing services, or you have a responsibility to not be negligent, and what that means is that you’re doing the right due diligence and putting the right controls, and then you’re reassuring the board that you’ve taken care of those things, so not going to jail, very important, and ensuring that you’re not negligent, very important. Ultimately, it’s not just the CISOs role. The CISO is by themselves in this capacity, and they’re not getting that participation from the rest of the board, then they’re not doing the job, I think in the way it needs to be done. I think the role of the CISO is to find ways to share in that responsibility and to ensure that the whole board is participating in the purview of governance, risk and compliance.

Thank you both. There’s a lot to it, essentially in that role. That brings me to our next question, with all the things going on why is it that this relationship maybe tricky or hard for those CISOs, Brian, will have you start us out again?

It can be hard sometimes, and can also be affected by how the CISO communicates with the board and even when is security a standing agenda item at the quarterly board meeting, or is security something that comes up occasionally or only after an incident? The relationship can also be affected by the key responsibilities of the board, the board’s level of strategic or financial oversight, the various committees they might participate on in conjunction with the executive leadership team. The relationship can also be complicated by history and how the security organization came into existence, or the previous relationships the board has had with it, or Security Leadership accessibility of the board can also affect the types of relationships that are established. Thoughtfully navigating these variables and building trust over time tends to improve the outcome, regardless of what the outcome is. Carlos, what would you add to that?

I think the question is, is it tricky? And I think it depends. I think we have a poll that we like to see participants answer and give us your input. Do you think it’s tricky? I think it depends on the company. I’ve worked with boards where I did not think it was tricky. Other times I thought, this is going to be a bit of a challenge. I’m happy to share my strategies and how I’ve navigated those, but I’m very curious to see what the audience believes in terms of, is this relationship tricky? Ashley, do you have the poll?

You guys should see a poll question up there now, and it’s a scale and one to five, with five being the most difficult one, being very simple or zero, not at all. How tricky do you find the relationship between CISO and board as you’re answering this, if you’re not a CISO, you can still answer this of what your perceived opinion is. You’re someone who maybe supports a CISO, so don’t feel like you can’t answer. If that’s not your exact title, leave it open for just a couple more seconds. We’ve gotten most of our participants to respond so far. I will end that poll, and let’s share these results up here. So, you guys should be seeing that shared results, which is that most people are leaning towards that it is quite tricky, which leans into Brian talked about, it can be tricky. Doesn’t have to be, but makes sense seen as y’all join this webinar to hear some insights about this dynamic. Sounds like people are leaning in. That more tricky piece there, Ryan or Carlos, anything else you want to jump in about in terms of this poll, it certainly doesn’t surprise me.

I’m a little surprised at how many people pick four out of five. I think when I think about what might be happening there, I’m guessing, because I don’t have the time or the opportunity here to speak with everyone that voted that as a four or higher, but I do believe that we’re seeing in the market a lot of pressure on the CISOs. A lot of CISOs that are having turnover in their in their positions, and oftentimes the board relationship is cited as one of the leading causes of it. Maybe they got into conflict. Maybe there’s disagreement. A lot of times, I’ve seen that when the board just believes that something can happen and the CISO is trying to show them, nope, this is the truth. This is what we have to do. Then the board decides to make a decision to replace the CISO, in which case the new season comes in. One of the key things that they’re asked during those interview questions is, how do you manage the board? How do you view the board? We really want you to have great relations with the board. And sometimes you think, I should probably go and speak to the person that was in this position before me, and I’ve had the opportunity to do that, only to find out that expectations were not aligned. It really wasn’t that the CISO was doing anything wrong. Is the board perception that this could be done differently, that the person could be more amicable, that there’s just something about the board’s perception that I think was rubbing the wrong way, and maybe that’s what’s causing the trickiness in the survey that we just posted. That’s a guess of mine. I don’t know if I’m if I’m getting that right 100%, but I do think that if you think about that relationship, if as a CISO, you’re not effective with the board, then really your job is on the line. I can imagine the pressure that folks would feel in that position at the same time. If you have a good relationship with the board, and the board understands the function, why you’re doing it. They know you’re working hard. You’re giving them the options to be able to pick things, and they’re involved, and they’re sharing in that responsibility. I think that relationship becomes less tricky, because it’s then really about making progress on a quarterly basis and bringing them along the journey. If you can do it like that, I think it does make the relationship to be, I hate to say it, but even pleasurable, I think these relations can actually be a lot of fun and insightful, because they have so much background they’re bringing in so very curious to see, why people voted that way. That’s me reading into it and thinking about what kinds of situations I’m seeing in the marketplace that are causing some of these, these tricky relationships.

Absolutely. Well, and then with that, that gets into really our next question, because a lot of that tricky relationship, what you talked about there, Carlos is, it’s making sure that you know you’re aligned, and you’re meeting those needs, and there’s a lot of pressure on CSIS to do that, and so that next question is, what does the research tell us, or your experiences directly tell us about coming from the other side of this? What does a board of directors want? Think that in terms of like from the CISOs who are representing the entire structure and team below them about their security solutions. Brian, I know you’ve done a lot of research in this area. We’re excited to hear about that from you.

I think Carlos nailed it again. This varies on the board and corporate culture. This is certainly in my experience, where it starts becoming human and behavioral to some degree, every board is a snowflake. This can also be affected by the company’s performance. My experience has been that companies that are performing well financially see boards applying a much lighter touch. However, those companies that are struggling financially, boards can have a much heavier touch and or provide greater strategic direction, which can absolutely impact the security program, both positively and negatively. That’s not to mention a company that has had a cyber incident that the board is actively involved in understanding. At a minimum, given all these variables, the board wants what it understands to be enough information to fulfill its fiduciary responsibilities. Dialing that into something truly meaningful tends to be the art associated with the science of being a CISO, I can definitely tell you that what CISOs want, which is support and confidence around transparency, establishing and maintaining a common operating picture at the board level. That is the ultimate goal and sweet spot, so to speak. The lingering question is whether all boards want the same things, and I think the answer is not always, but I know Carlos, you’ve got some thoughts on this topic. What do you think?

Before I answer, why don’t we take a step into your background? Because I know you were finishing your PhD, and I had that opportunity to be a participant in that survey, and you’ve been looking at this exact type of question. In your experience, is there good research out there? Do we have a good grasp to be able to answer this with objective data?

That’s a fair question, and thank goodness the answer was, there’s not quite as much data out there as you would expect. When you think about cyber security and how that’s deliberated, even at the board level, that’s not a really popular topic to discuss in public. There are certainly hints and glimmers of information out there. What I leaned on was the expertise of professionals that have worked in industries at the CFO level, board level, CEOs and even cyber practitioners. I was fortunate enough to work with other experts that lent me their experience and their insights to be able to effectively cause at least an opinion around what boards understand about cyber security. And the answer isn’t particularly shocking.

It’s very interesting that you mentioned that this there’s a lack of data. One of the things that I think is very helpful, and that boards do like to understand, is what is everyone else doing? They seem to be very obsessed with industry trends, what their peers are doing, and so any kind of insight like that can reassure them that they’re making the right choice. I’ve seen a lot of buying decision analysis that shows that CISOs tend to take a solution that their peers select, and that helps reduce some of the risk and builds some comfort. If you can point to another company, another CISO, or someone in the industry, or a group of companies in the industry and say, this solution or this approach is the one that is most popular, I think that can help decision making. One of the things that I’ve thought about in terms of this lack of data is being able to reference those professional organizations that you as a CISO are part of, or as a cyber security executive, you can join these groups, you can then exchange ideas and see what patterns are emerging. Then when you go back to the board, you can present that. I spoke to three other CISOs, and they told me XYZ. That reassures the board that you’re doing the right thing, because these boards are really trying to figure out patterns and trends. You can spot those by simply looking at your peers and other companies and other organizations in your same industry. I think that’s a really important thing to underline, is that if you’re part of a professional organization, you can leverage that, and you can come back with information, I spoke to some CISOs in my professional organizational group, and they said x, and this is how I’m going to interpret it for us, and then try to walk them through that discussion. I think that’s super important. Other things that I think we have to be mindful about is that a lot of this research, although we don’t have it, we do know that out of sight is out of mind, so if you’re not engaging the board, or if you’re not coming with information, then the board is going to simply forget that you’re there and that you have this issue you’re trying to raise. Really trying to think through what kind of research you can put into the reading materials. When the board meets, you have that material available. Maybe not every single person will read every single piece of material in detail, but you’re at least going to create some common ground, and try to bring together that objective data and this is what I was able to find, and this is the story that I’m going to tie this stuff together, especially around other organizations, to speak into peers, trying to figure out how to bring that together. The other thing I think is really important to point out is that the reason why we probably don’t have so much research is because this position is pretty new. The first CISO dates back to 1995 and Citigroup, that is the person that is coined as being the first, and that’s not that long ago, and the concept of it in 1995 was really there to prevent cyber-attack, cyber threats and theft. Just fast forward to less than 10 years, when we had Sarbanes Oxley in 2004 and that then changed the whole perception of the CIDO’s role in security. Now we’re looking at through the lens of internal controls, things like coastal objectives. The way the board was then evaluating risk change, and it hasn’t had that much time to develop a lot of CISOs early on in the journey may have come from teams like procurement or people that were CISOs that wanted to get more into the security space. What I’ve seen now is that people are majoring in PhDs in cyber security, master’s in cyber security. There are people that are coming through a more traditional educational path with these types of degrees in their careers and in their educational profiles. Very interesting to think through how you look at that context, because the board members oftentimes have experienced a lot of these changes there. They tend to skew a little older, and so you need to put your lens through the experiences that they’ve had and how they might be perceiving these things. I think that is what I see in at least the research that I’ve performed and conducted in this space, and what trends seems to seem to be, the trends that boards are most receptive to. I think that, to me, is really important. If it’s working across different boards, it’s probably going to work with your board.

I’ll add one thing very quickly; you made a great point of framing indirect support for whatever your strategy or initiative is a CISO. Think about networking across, most board members sit on multiple boards, so being able to network to the seat is also a great approach, because you’re absolutely spot on that they’re likely going to solicit information from their collective network, not just from you, and building that alignment and that support in the background can also be a very powerful approach.

I don’t want to cut you guys off because this is such a great topic, but I did want to do a poll out to all of our listeners here, so that second poll question should be launching for you all, and this is a select as many as apply. The question is, when your community, your cybersecurity priorities to the board, where do you see the biggest friction? Select one, two or all of them. It’s a select many. Unless you get all, I’ll go silent. You all can read there, but there’s quite a few click through, I will say we’re not just asking just for us. We’ll have some follow up options for you on these so take a look. Brian, Carlos, good time for all of us to refuel with our group of choice.

I hope people don’t select all of them for your happiness, I hope you don’t have all the friction. But reality, I know sometimes means there’s multiple. Fairly evenly, spread out so far across the different ones, which is interesting. Is interesting, couple winners or losers. I don’t know how you frame it.

I think one thing we should probably highlight too, is if we have participants on the call that are not engaged on the board or not in that the official CISO seat yet, I think we’re all aspiring right to keep our careers progressing, and I know that one of the things that I leaned on before I was able to reach the position I’ve reached today, was that I engage in these kinds of questions with the CISO at the time, so I asked questions like, what’s the board like? Do you like meeting with these people? Who on the board do you like? I would look up the board members, and I’d say which ones of these are your allies, and try to have more of that support conversation, because one of the things that you can do if you’re not engaging with the board today is that you can prepare yourself for that position by supporting the person who is and there’s a lot to be learned in how those relationships are managed. Having that conversation, if you feel comfortable, and your CISO is able to engage in that and mentor you. I think those are fantastic questions. I know when I get asked those types of questions, I’m relieved, because there is a lot to cover, and there’s a lot of personalities, and people do look at the different board members and point out things that maybe I missed. There’s person has this in common, or this person is sits on this other board, just as a heads up. Maybe I didn’t have the time to do that kind of research, but someone brings that to my attention. I would find that very, very helpful. What about you, Brian? What advice would you give to folks that maybe aren’t dealing with the board yet, but are going to in the next step in their career.

You know what you’re spot on, which is, solicit as much information and experience as you can from those around you. So sorry, my apologies. Solicit information from those around you, but lean on those who’ve had that experience. Mentors, stakeholders, gathering as much perspective as possible, having that inside information tends to help with navigating the process moving forward.

I’m going to share the results here, because it looked like the responses had kind of slowed down. You guys should see that popping up on your screen. What you’ll see is that, the again, winner or loser, how to frame it the most clicked is the board lacking a clear understanding of cyber security, which I think is something that has been in place in terms of this relationship since the dawn of that 1995 first season, until now and then, in this rapidly changing landscape. A, that understanding is growing, not shrinking, that difference in understanding. Otherwise, it was across different areas here.

I’m curious to hear Brian’s point on the one that was most popular, 63% the board lacking a clear understanding of cyber security.

If you think about it, cyber security, it can be relatively ethereal in nature. We’re talking about bits and bytes that are open to really different interpretations of bits and bytes. That actually doesn’t surprise me, and it parallels research that I did almost exactly. I look at that as an opportunity that if you can create that level of awareness or that understanding, think about how powerful that outcome is.

Building on that, I’m guessing a little bit here as well. I think that there is oftentimes a difference between the technical aspects of cybersecurity and the business aspects of cybersecurity, and I’ve seen some of the most effective CISOs just don’t have a technical background. For someone with a technical background, that can be a little frustrating. When it comes to board management, it seems to really, really help there. I think one of the things that, as a technical person, you have to remind yourself of is that those details, that’s your job. You don’t need to bring those details to the board, but the strategy, the what if your best guess as to what might be happening two quarters out, two years from now. I know it’s hard to be able to lean into that, especially if you’re coming from a technical background. You want to be precise, you want to be thorough, you want to have the exact data. A lot of this can also be conversational, as long as the opportunity to build that relationship with the board member is underpinning the expectation that I’m just trying to show you the strategic aspects of this, how our business might evolve, and what kinds of things cyber security is pressing up against the business. If you don’t have the answers, that’s okay. You can say, I believe, I think my best guess is, I don’t know, but I see this as a potential trend, and I think those are the kinds of conversations that really get to the curiosity of the board member. You don’t want to make it an issue, but at the same time, I think that’s a conversation that is not technical, that is business focused, that is strategic, that thinks about the macro concepts that those board members are really interested in, and to try to think always about the business operating model, and maybe there’s going to be a higher cost of doing business. If you’re going to have deep fake showing up in the interview process, you have a cost to interview people is going to go up because you’re going to have to spend more money making sure that those people are really the people that they say they are. And there might be other friction that comes into the business, but if you talk about it from a business operating model, I think a lot of that lack of cyber security understanding can be bridged. I don’t know if the board will be able to really come into a position of technical awareness, unless you have a board member who was a previous CISO, and in which case, I’d caution you to say that’s fantastic, but you also don’t want to have one person on the board that has so much input that everyone else is you know what,  I’m going to just point to the person that knows the most and say whatever they say. You want the whole board participating. It’s great to have that kind of ally at the same time. It’s even better if you have multiple allies, and you’re having the interesting conversations about the business, business transformation and that strategy.

Thank you, Carlos. in terms of that, leads us into our next question about, when you do have that one member who you have that good rapport with or understanding with, and then also, I swear we didn’t. We didn’t rig that poll where you guys all clicked. The lack of understanding is the most common friction. Our next question here is, what mechanisms or constructs do the boards inherently understand to help guide us on some of that. Brian will kick that over to you to start out with.

It’s funny, Carlos, because in your previous answer, you were describing me, if you go back far enough in my career, I was in finance, and so this is a this is a pretty easy question for me to answer, because boards understand anything financial. Boards and board members tend to understand finance and financial risk best. They are arguably experts in this space. Just think about the development of the fair framework and what it sought to do. The whole premise of an enterprise risk management program, which most security frameworks absolutely prioritize, is converting risks across the enterprise to include cyber into financial risk. That’s not to say that there won’t be some debate around probabilities or potential impacts, but if you can communicate in terms of financial impacts, the board will absolutely understand that common vernacular. Ashley, I’d love to get your thoughts on this. What do you think? What are some of your thoughts on board level constructs that work well and are well understood?

One that I would think of here is insurance actually, since that tends to be a subject area that boards have long understood as a concept. Insurance now, of course, includes some of that cyber resilience insurance or cyber liability insurance. That is an area, it can be tricky to really relate the exact financial loss impact probabilities and the amounts into coverage percentages. However, I would say, using some of the tools you might have, like CMMC or like a maturity assessment, like the NIST CSF maturity assessment, that can really help you put some of that picture together, like a chart or graph that can help you, it’ll that’ll be a repeatable tool that you can use to help create that ongoing picture for your board about insurance related to cyber.

That makes perfect sense. What also just came to mind, boards also definitely understand regulatory impacts or implications. There are numerous case studies around monetary impacts and loss based on history. A great example that I lived through was not peas effect on Merck, FedEx and Maersk. There’s also plenty of data out there on compliance failures, ranging from GDPR to HIPAA. Boards tend to be very aware at the industry level of the history of regulatory failures and impacts. Carlos, what do you think? What would you add?

I kind of take a slightly different approach here. I really think in terms of maybe overly simplistic, but pictures, graphs and trends. Those are the things I think really work well with boards. Those are great mechanics. If you’re presenting and you have a lot of text heavy because you are worried you won’t get through the presentation, or you’re sending that reading material in advance, I would suggest that text is okay but make sure that you have some pictures. I think that helps bring the concepts to light in a different way. The board is made up of humans. And we as humans are emotional creatures, we do respond to things like hope and fear and anxiety. Pictures that display that are fantastic. I see a lot of material that is presented to boards that just seems like this is all done with TOGAF architecture in mind, and if you’ve seen a TOGAF drawing before, it’s not what I’m talking about when I say a picture, think about things that will evoke emotion, that will demonstrate the state that you’re trying to convey in your presentations. Color and layout can matter, especially when you are really working with very few slides, right? You’re not going to be able to put a 30-slide deck in there. Maybe you’re going to have four to eight slides. So having pictures is super important. Graphs are also helpful, like graphs do help aggregate the data, and they indicate what you’re basing your observation on data. I think boards respond well to that. They don’t want to see your data, but they definitely want to see the graph. Then they’re going to wonder, what does the graph look this way? What if the y axis had this composition? If you’re going to put a graph together, think about alternative graphs that might help them understand things like a timescale over time. Here’s the graph six months ago, here’s the graph two years ago, which the goes back to my third comment of trends. Trends are really important. Are things improving? Are they staying the same? Are they becoming more expensive? I would love to have a poll on who has a finance background sense of theme as well. I was an accounting undergrad major, and I went to Deloitte, and I was working on my CPA hours, then I transitioned over to a department called Enterprise Risk Services or ERS. I was able to do both. I was able to do internal controls, ERP systems and finances. That was really my transition into cyber security. Then, over time, the more technical space I found very interesting. Things like firewalls and networks, segmentation, design, I just thought that was really fascinating. It’s very interesting to see how people have leveraged their different backgrounds. Ultimately, I do think that the board thinks in terms of financial numbers, metrics, things like that. You can also take a look at the composition of boards. I tend to find that a lot of boards have mainly attorneys. Now on the board, which is pretty interesting, it used to be more CFOs and things like that. Lately, I’ve been with the boards I’ve been working with, I find a lot of attorneys. One of the things I think is very important with attorneys is like Brian was saying, the regulatory landscape really thinking about what the impact there is. Ashley mentioned insurance and cyber insurance. One of the things that it can be a trap around cyber insurance is that the board thinks, we have this insurance. Well, you do, but you have to also show them that what the what a potential worst case could look like, because your insurance is usually not covering you for all of the files that are sensitive, and you put a price against that file, how many files do you have? Now you’re thinking, if the entire crown jewels of the company were taken, this is the financial impact, and this is what the insurance you put in a graph, and you show the comparison. You say, is this the risk appetite that you guys are accepting? I think that’s really important. And then you can say, well, we could segment this out. We could not put everything in the simple in the single location. There are ways to mitigate that without going into the technical detail. I think those are the mechanisms that really resonate with boards. The last thing I’ll mention, I’ve been working with relatively new board in in the last couple of months, they’re growing as a company now, and they’re interested in becoming a bigger company. They’re going after SOC two and high trust, and suddenly all these concepts are coming into play. They now have a good business operating model. I started working with CEO and the board and board governance, they didn’t have anything on their agenda around internal controls. Instead of giving them the answer, I did prompt the CEO and say, here’s some reading materials, but you guys have to have this conversation, what does internal controls mean to you? Here’s the coastal objective, here’s some background. In the future, I do plan on coming back with a scorecard, with things that are templates that we can show them over and over so they become comfortable. I think putting them in that position does help them think through. What does that mean for them? Because eventually this board is going to have its own culture, its own processes, its own way of doing things, and I didn’t want to be the only one who’s talking about the topic. I really thought it would be important for them to have that conversation without me there, and to be able to figure that out, and we’ll shape and adjust over time. I thought that was an approach that I took, and I think I got good feedback from it, from the CEO. They were like, Okay, you’re right. We’re grown as a company, and so we have to take this concept of internal controls a lot more seriously.

The last thing that we’re going to do here, before we get into the Q and A from the audience, we’ve gotten a couple questions come in already, is our lightning round. I feel like I need a sound effect on that slide, but so for everyone who might be multitasking, I’d say, put that other item down, because I’m going to ask Carlos and Brian a series of questions, and they each have only about 15 seconds to answer each of them, so I will do Brian first and then Carlos, just so you guys can be prepared here. This one very easy to keep it short, because the answer is simply agree or disagree. Do you agree or disagree that a board sees security and compliance as a bottomless pit of investment?

I’m going to answer yes, I agree and disagree, but in 15 seconds or less, I’m going to explain why they can this depends on how well the CISO is communicated, how the investments in security benefit the organization. Building artifacts such as a program design guide or blueprints tend to help a lot in this space, and optimally adopting something like an activities-based costing model can really create clarity.

I’m not going to go with that. No, I don’t think boards see this as a bottomless pit. Here’s my reason why, it’s part of doing business, the cost of doing business. As long as you associate that, I think that puts some limits to it. Then the other aspect is, if you state the things you know and you don’t know, and you can forecast things out in terms of these numbers, here’s a plus or minus 50% to what they might cost and how long they might take, then I think you can put some boundaries, because ultimately, we know there has to be a limit to this thing, and there is a cost of doing business, and you have to be able to have that risk conversation.

Next question, and this is relations to CISOs and relationships with the board. What are the conditions for success? To keep it quick, I’d say name the top three, an objective assessment that captures current state, one which results in a common operating picture too, and then the board or executive leadership support the reduction of risk. That’s it. If you’ve got those three things, you’ve got it.

I don’t disagree. But I have my own three, so I think that the three that I would point to success, one, communication, number two, a shared responsibility model. And number three, cultural fit. If you’re a member of if you’re a CISO with a board where you just don’t get along and it’s not a cultural fit, then it’s going to be a really rough ride.

Next question, how do you build that lasting relationship with the board?

Simple answer, patiently thoughtfully over time, and make sure to leverage the stakeholders around you.

I would take a little bit more of a tactical approach. I would say, one ally at a time. Really taking the time to find that board member where you get along. Maybe you have some educational institutions that you share. Maybe they came up in a similar way up there in their careers. Maybe they live in a place that you just find common ground and building that relationship, and then asking for help and say, you know, who else on the board do you think I would be able to build some allyship with and then keep going? If you do one board member at a time, over time, they’ll get to know you, you’ll get to know them. I think that’s going to improve the relationship dramatically.

Final question of our lightning round, what do you suggest CISOs do with boards who are bullish on AI?

Brian, use your existing programs to reduce risk. Third party risk management, data security, some form of an InfoSec project review process, use your existing capabilities to demystify AI.

For board that’s bullish on AI, I would ask them if they’re familiar with anything that has only upside and no downside, because we know that AI does require some investment, so it requires some due diligence around data, some additional investment and controls. One of the things I’ve been noticing is the board wants the benefit of AI but does not want the cost or the organizational changes that would come from AI. I think if you have that conversation, they’ll be like, oh, you’re right. So, what are those downsides to AI and be ready to talk about how hard it is to do a transformational project in your organization, how many transformational projects have been successful, how many have been attempted, then take a look at those odds and have that type of conversation with the board. Doesn’t mean you can’t do it. You just need to understand that that’s the track record of the organization. How do you improve that track record going forward? AI will require some investment. It is not just pure upside.

Thank you. that concludes our lightning round. We are going to move on to our questions from the audience. We have a couple that have come through already that I’ll get started. Would just like to say, definitely continue to add those in there in that question field, and we’ll start to tackle those. For the first one, and Brian, I’m going to kick this to you, because it actually ties back to one of the pieces you said about things that boards might inherently understand. The question is, how do we frame AI risk in terms of regulatory exposure and reputational impact, rather than just the technical vulnerability.

Kind of an extension of my previous answer, regulatory and reputational impact. You can view it through the lens of your compliance programs and so AI is a relatively new technology, but the same fundamentals of information security apply from third party risk to vendor risk management to data security and so demystifying AI and breaking it down into it is about protecting data. It is about preventing regulatory failures. Couching it in that way I found to be effective. I recall a couple of years ago, the chairman of my board introduced AI as a topic and brought in an expert to tell us about the power of it. It gave me the opportunity to say in a construct of 27 cybersecurity capabilities at any given time that a company is investing in this one technology affects seven of them on day one. Using that as a lens by which to demystify it and explain how we want to protect intellectual property and company data, dissecting it in that manner, helped it to resonate so that everyone understood it wasn’t as simple as just in. Implementing AI, it was going back to the fundamentals of how we would, we would safeguard the company while capitalizing on what looks to be a very promising technology.

There’s kind of another related question that I’ll do as a follow up here, and I’ll have you jump in that way you can weigh in a little bit on either. Related question, the first one was about framing AI risks, about regulatory, reputational impact, etc. This one is similar about framing it. It’s, how should we communicate AI related risks without fueling the hype or the fear?

I think it’s an excellent question. We know we have an existing process and companies for tracking risks called Risk Register, and you have high, moderate, low rankings on that risk, and hopefully the board is familiar with that process, so that you have been bringing up risk and being able to show them what is on the high end of that risk register, that you’re talking about your security program and its overall effectiveness. When you take a look at AI risk, I think the number one thing you need to answer really basic questions is, is it being used, and how is it being used? Are workers simply going to chat GBT or clod or some sort of website and uploading information and records and just using it to enhance their workflow. That’s the case, then you have a risk there of shadow AI. We know that a lot of sensitive information is being uploaded to AI that should not be uploaded to AI, oftentimes by senior people, because they don’t understand that there is a number of controls that these models can actually be used like you can say, don’t train your model on the data I upload. Or you can have a local instance of that, LLM so that you’re not putting it into the public cloud that is available for the larger system to be trained on. Having those types of conversations top down risk. I think that’s really important and being able to use the process that you already have in place so that you can say, this is not any different than previous technologies that we’ve seen. We remember the .com era. We remember this thing called moving to the cloud, right? We remember mobile devices. We’ve gone through a lot of technological change. The good thing is that it’s happening in this shared lifetime. It’s happening so quickly we can point to and say, I remember the days when, and the board is going to remember the days when a dot matrix printer was how you printed things, and there was perforated holes on the side of the paper, and that’s how the paper got fed, right? Today we don’t even print things anymore. And if we do, we do over Bluetooth and wireless connection. I think taking into account the awesome reality of what this could mean as a society, from the goodness of AI, improving things, changing things at the same time. The risks are really talking about threats to the business and how hard it’s going to be to implement this, what kind of violations you might have, because we don’t have a good AI policy. We’re not training people. We’re not doing the due diligence and the hygiene that you would expect. If you’re not doing those things, those should be on your rest risk register. Anytime I see an AI project, I always ask, where is the business sign off? Is the business aware of these risks? No one seems to want to go in and point that out to anybody, unless the company has a chief AI officer, it’s kind of left to the wind. I think CISO’s role is not to accept or reject the risk, but to write it out and to bring it to the attention of the business. Say, this is what I see. It’s a very high risk. We just don’t have these things in place if you’re willing to accept that. No problem, just accept this risk. I’ll put it on the risk register. I have seen some conversations with CISOs where they don’t want to do that because they think that might cause them their job. I think you have to evaluate your organization and what’s the right thing to do? In some cases, maybe it’s a CYA kind of activity. I don’t think that’s the right thing to do. I think you need to be transparent, have that right communication. In some organizations, maybe they feel like job security is an issue. There are some unrealistic expectations. You don’t want to be the person that sits in front of a group of people saying, all this is going to cost money. I know you want the benefits, but all this is going to cost money. You might be seen as the person who’s the naysayer, who doesn’t want to adapt and get on board. How to thread the needle is really important. I think you have to be able to use your risk process. Make sure you document that risk and make sure you let them know that you’re willing to be supportive. Another thing I’ll leave you with as well is that you can be more nimble in this space. I know as CISOs, we want to have control. We want to have predictability. We want to know the things in there, right that are in place. With AI, you may just have to become agile. You may say, where’s the proof of concept, and can I assign someone onto that team and let them know? Don’t slow them down. If you can identify technology, controls, processes, policies, anything that’s going to help us identify the risk and try to prevent data from being exfiltrated or shared that shouldn’t be like those are the kinds of things we’re really worried about. Name your top three, four items and say, monitor this, help them and test that as part of your proof of concept. That your proof of concept for AI includes AI security, maybe not all of it exactly the way you’d like, but get in there and participate, because otherwise you’re going to be on the back end of that process, and you don’t want to be there, because then the question is, where were you when this stuff was being tested? I also think there’s some significant risks around AI that we do have to talk about and we only have eight minutes, so I won’t go on a diatribe about that, but that’s maybe another webinar in the future. As CISOs, you do have to think about that. I think this type of topic because of its strategic nature, I think you can engage the board on and just let them know this is what I know, this is what I don’t know. This is what I propose. Here are my options, option one, two and three, and have the board support those options.

Another question that we got, which I’ll actually tackle first as part of answer about that, is, should the AI risk be framed as a cybersecurity issue or an enterprise risk issue? I’m going to jump in here first and just say it is absolutely both. There are many different risks associated with AI, just like there’s different risks associated with any new frontier. There’s many cybersecurity issues there. As Carlos mentioned, it’s a whole big topic, maybe we’ll have another one focused on that. As an enterprise risk issue, the reason why I say it’s absolutely both, from my perspective, is that that use of AI can have a lot of impacts, other than just what people traditionally think of as cybersecurity. An example here, just to show this is right now, the only Compliance Certification about AI is the ISO 42,001 and with that, in that framework, you actually have to show that you have done a societal impact assessment for your use of AI at your company. I know that’s just one detail and one compliance framework, which was in everything, but it’s a really good example about how if the use of AI, if something goes wrong, it can have a bigger impact than just cyber that’s what that societal impact is coming from, and that ultimately can harm your business’s brand in a bigger way, in a different way than we think of in some other type of cyber impacts. Ryan or Carlos, anything else you want to add on that question?

Actually, you mentioned ISO, the NIST AI risk management framework is very similar in that respect of it transcends just cyber. So great point. I would only add that in the United States, we seem to have put a moratorium on compliance around AI so the amount of influence there will be limited, and companies will do it because they think it’s the right thing, but not because they’re being pressured to do so or obligated. That’s different in Europe and other parts of the world. I would say that is a reality. We know how hard it was when FedRAMP was first created, or Hight Trust or PCI to get organizations to comply, and he had to just pull teeth, and it wasn’t until it was mandated that people did it. I’m not an optimist when it comes to AI compliance. I think companies that are doing it are doing it because they do want to limit their enterprise risk, but the fact that we don’t have an explicit mandate that says, Thou shall do this, then I think that makes that case a little harder to do. Maybe things will change, but right now, I think we’re in uncharted waters, and we know that when there isn’t a legal or regulatory requirement to do it, that the vast majority of organizations simply don’t.

We have time for one more question. In that, our final question is going to be some of the really making this all come back to dollars. One attempting to tie cybersecurity risk to assets, to a potential dollar amount. What methods have you found to be most successful in converting risk to dollar cost?

I guess I’ll jump in first. It varies. Where that has always begun with me is my relationship with my CFO, because at the end of the day, however you do it, you’re going to need a model that finance can look at and agree with. I’ve always done that in conjunction with finance to arrive at, are we going to value assets based on potential revenue impact? Should an asset fail? Actually, you mentioned insurance and insurance probabilities of coverage, potential for gross negligence and arriving at a percentage probability of payout and coverage depending on the structure of your policy. The key there is to have finance with you defining that model, at the end of the day, whatever you agree upon, is mutually agreed upon, and therefore using that tool moving forward becomes more effective.

Thank you. With that, we’re starting to wrap up here everyone. We really just want to say, thank you, of course, Brian and Carlos as our panelists for being here today. Thank you, everyone for joining. As you all heard from the polls, from our panelists and some of those questions coming in, the CISOs role can include, a near endless amount of responsibilities with regards to that board dynamic and communication. In response to this demand, just wanted to share that Tevora is building out a new Board Advisory Service. Brian, Carlos are the champions here on that. They’re available to assist brainstorm, whatever. You can see their contact info as well as mine here on the screen. Please don’t hesitate to reach out if you have any questions on that. And also, as promised from that panel, question about the different friction points for those different research items, reach out to these contact info here, because we are happy to share a little bit more insight on those specific topics, as I mentioned.

I just want to say thanks everyone for attending. I appreciate your questions and the opportunity to share our thoughts and experiences with you.

You can all probably tell that this is maybe one of our favorite topics, initially, and I and so appreciate getting to spend the hour with you.

To close out Tevora, we just want to say thank you to everyone for joining us. Tevora is here for all of your cybersecurity needs, from compliance to vCISO, everything in between, reach out if we can help you. Most of all, thanks everyone. Have a great day.

Back to Resource Center

Explore More In-Depth AI Security Program Resources

View Our Resources