The CISO of tomorrow: preparing for the worst in the age of AI and increasingly complex cyber threats

At the InCyber Forum Canada, three seasoned experts from North America’s public and private sectors shared their insights into how the CISO of tomorrow can safeguard their organization against the worst-case scenarios.

Difficult as it may be to discuss the future of cybersecurity without delving into AI, the risks and opportunities it brings are largely overhyped, according to the experts interviewed.

AI’s role in cybersecurity: opportunities and limitations

For Sue McCauley, head of cybersecurity at High Speed Rail Solutions in Canada, AI can complement other types of defenses, particularly in data analysis and filtering to identify threats. However, for now, it lacks the ability to detect sophisticated attacks, such as zero-day exploits, which are on the rise. With tight budgets, McCauley emphasizes that every layer of defense should prove its worth before organizations spend a dime. This sentiment is echoed by Dan Lohrmann, former CISO of the State of Michigan, who warns against the current enthusiasm around AI, noting that it is “a component of nearly every cybersecurity solution sold today.”

On the contrary, the growing adoption of large language models (LLMs) by organizations has raised significant concerns among the three experts. McCauley describes these AI tools as “merely recirculating existing information,” with data poisoning—a deliberate injection of misleading information—posing a major risk to their reliability.
“Everything must be verified,” she insists, a view shared by Nancy Rainosek, former CISO of Texas. She stresses the need to “keep humans in the loop” when interpreting AI-generated data to avoid wasting time on “perfectly written nonsense.”

Sensitive data exfiltration via LLMs is another significant risk. Rainosek highlights an incident where a Texas government employee inadvertently disclosed private staff information to ChatGPT. Beyond such accidental leaks, malicious actors can also exploit prompt injection attacks to access sensitive business data, such as customer records or trade secrets.

Traditional threats remain prevalent

Despite the emergence of AI-related threats, the experts urge us not to lose sight of “classic” threats like ransomware, which remain dominant, particularly at the local level. Rainosek recalls her unparalleled experience dealing with the massive ransomware attacks targeting 23 Texas government organizations in 2019. Facing this unprecedented “statewide disaster,” she spearheaded the creation of three regional security operations centers, which continue to improve local incident response efforts while training university students on critical cybersecurity issues.

Supply chain attacks are another pressing concern. Targeting a third-party provider, such as a cloud service, can have devastating consequences for organizations. Rainosek warns of the lax security practices of some vendors, often lacking CISOs and failing to prioritize this critical role. To maintain control, she advises ensuring providers meet compliance standards. The Texas Risk and Authorization Management Program (TX-RAMP), for instance, mandates that cloud companies working with Texas universities or government agencies comply with stringent security requirements.

Communication and trust: the human factors that cannot be ignored

Lohrmann highlights the importance of pre-crisis communication planning. He advocates for a detailed communication strategy outlining the roles of all stakeholders. “This plan should include how to communicate with the media, the tactical team, the private sector, and other relevant actors,” he explains.

Reflecting on the 2003 North American blackout, which affected 55 million people, Lohrmann underscores the importance of identifying available resources during a crisis: “Where are your backup plans? Who will you rely on when your full team isn’t available?” Despite everyone’s role in a crisis, the CISO remains at the core of incident response.
“All eyes will be on you, waiting for your response,” McCauley warns. She emphasizes the need for preparedness—knowing the crisis plan inside and out, along with every step required during an incident.

Lastly, while the CISO of tomorrow must exude confidence, they must also earn their team’s trust. “If you have a reputation for neglecting your duties or being inattentive, you won’t be trusted. When a cyberincident hits, that level of trust will determine whether you’re the one capable of helping your company or government,” Lohrmann cautions.