Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation.

Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly.

Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards.

Greis emphasizes that compliance certifications like SOC 2 or ISO represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards.

The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer.

The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details.

As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries.

Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows.

LinkedIn: https://www.linkedin.com/in/justingreis/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals.

The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33.

A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications.

"Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework.

The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output.

Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail.

Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders.

For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity.

LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/

Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Cybersecurity experts Heather Noggle and Dr. Arun DeSouza discussed Kiteworks' Data Security and Compliance Risk: 2025 Annual Survey Report, which introduces the industry's first quantitative risk scoring algorithm. The comprehensive study of 461 organizations reveals that 46% now operate in high- to critical-risk territory, with the median enterprise scoring 4.84 on a 10-point scale—dangerously close to the high-risk threshold of 5.0.

The experts analyzed a counterintuitive finding about third-party risk management: Organizations managing 1,001-5,000 external partners face the highest security risk (average score 5.19), surpassing enterprises with over 5,000 third-party relationships. Dr. DeSouza explained this "danger zone" phenomenon: "By nature, managing over 5,000 means you're a much bigger organization with more resources ... Many times you've got a platform-based approach." These larger enterprises can monitor risks in real time, while mid-sized partner ecosystems struggle with enterprise-level complexity on mid-market budgets—resulting in 24% experiencing 7+ annual security incidents.

Industry-specific findings revealed surprising risk disparities. Energy topped the risk charts due to legacy IoT devices and 30-year-old technologies vulnerable to exploitation. Technology ranked second, which Noggle attributed to the "overconfidence factor" and rapid employee turnover. "Tech companies are losing people so fast, they want to implement things so fast. That to me is a perfect storm," DeSouza noted. Conversely, heavily regulated sectors like life sciences demonstrated lower risk scores due to compliance-driven security investments.

The report exposed a dangerous "confidence paradox" where organizations claiming to be "somewhat confident" in data governance showed 19% higher risk scores than those acknowledging uncertainty. "Without governance you can't manage," Noggle emphasized, adding that overconfidence breeds complacency in rapidly evolving threat landscapes.

AI governance emerged as a critical vulnerability. While 64% of enterprises track AI-generated content (up from 28% in 2024), only 17% have deployed technical governance frameworks. The stakes are high—the IBM Cost of a Data Breach Report found that 97% of AI-related breaches lacked proper controls, with AI breaches costing $670,000 more than average. DeSouza warned about inherited risks like "Echo Leak," a zero-click vulnerability exploiting AI's use of historical data, demonstrating that organizations must secure not just AI models but their entire operational environment.

Poor data visibility creates cascading failures: Organizations unable to count their third parties showed 46% correlation with unknown breach frequency, while 31% of those with 5,000+ partners take over 90 days to detect breaches. As Noggle noted, "If we're back at identify and we're at detect, detect should not be that difficult if identify is done well."

Heather Noggle LinkedIn: https://www.linkedin.com/in/heathernoggle/

Arun DeSouza LinkedIn: https://www.linkedin.com/in/arundesouza/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.