Exploring the Role of the CISO in Cybersecurity

Grace Gately: Hello, everyone, and welcome. I am really excited for today's session, focused on one of the most demanding and highly scrutinized positions in the modern enterprise: the role of the Chief Information Security Officer.

CISOs are expected to advise the board, partner with executive leadership, and run programs that both reduce risk and drive the business forward. It is a role that keeps expanding, and the bar keeps rising along with it.

I will be handing it over to Alan in just a minute to kick us off. But first, I wanted to share a few quick thank yous — starting with Alan Luk for joining us again as our guest moderator. He has been leading a series of webinars with us and we are really excited to have him back for this final April session.

We are also joined by an incredible group of panelists: Amir Niaz from Culligan International, Nicholas Muy from Scrut Automation, and Craig Riddell from Wallarm — all leading in this role and here to share what it actually takes to be successful as a CISO today.

With that, I will hand it over to Alan to lead us through today's session.

Alan Luk: Thank you, everyone. Great topic today, and one that is very interesting to me. I have reported to CISOs before and they all seem to be very busy and very stressed — and the good ones hide it remarkably well. Today's session is going to be talking about the CISO role, which has evolved from a technical leadership function to a business accountability function, often with responsibility that outpaces authority.

We will explore how that reality differs across startups, mid-market companies, and enterprises, and hear from three panelists who took different paths to their positions. We will touch on leadership pressures, burnout, board and executive expectations, and key red flags to watch for before stepping into the role.

Thank you all for being here. Let us kick things off. We will go in order — Craig, Amir, and then Nick. Briefly describe who you are, where you work, and what your day-to-day looks like as a CISO right now. And at the end, tell us something fun and interesting about yourself unrelated to work.

Craig Riddell: Good afternoon, everyone. My name is Craig Riddell. I am the global field CISO at Wallarm. My day-to-day right now seems to be mostly conversations around AI transformation and observability across the API layer, which has suddenly become very much in the critical path.

I got to this role in an interesting way. I got out of the military, fell into cybersecurity almost accidentally, got deeply interested in identity, and found myself here. Outside of work, I am deeply into rugby — that is my passion, though I feel like I am getting a little too old to play effectively anymore. Looking forward to this discussion.

Alan Luk: Hopefully it was a good accident, landing in cybersecurity after the military. And age is only a number — keep going out there on the rugby field.

Nicholas Muy: I am the CISO for Scrut Automation, responsible for all of our internal security, compliance, and everything that goes with it. Day to day and week to week lately, it seems to be keeping up with the increasing euphoria, pandemonium, fear, and hysteria around all things AI — AI that will help us, AI that will destroy our universe, and everything in between.

Keeping up with that looks like consuming a lot of information, talking constantly to peers, spending a lot of time getting demos from founders, and looking at different vendors — because a lot is changing fast. I still buy from big established publicly traded cybersecurity vendors, but there are also things I believe I just need to go talk to smaller companies about. At minimum I will learn something, because they are pushing the envelope. I probably did two demos yesterday just trying to keep up and think about how things will help us as a company.

Something fun: snowboarding. I really like snowboarding. If there is ever a CISO snowboarding event, sign me up.

Alan Luk: Nick, you are also more than just a CISO — tell us about the other part of your role.

Nicholas Muy: I have taken over a lot of infrastructure and platform engineering work recently. I have talked to a lot of peers who are doing the same — people who started in security and, through deep involvement in SRE, DevOps, and infrastructure design, found themselves naturally evolving into owning more of it. In some companies that evolution looks like a CISO becoming a CIO. I think what you call it can differ, but if you are securing AI enablement inside a company, you are already deeply involved in infrastructure — you just care about it even more now.

Alan Luk: Wearing two hats — how do you balance them? Is it complementary or a constant battle for time and attention?

Nicholas Muy: You get creative. You ask people on your team to step up a lot and see how that goes. I have had to constantly reinvent my workflow and day-to-day productivity as both a practitioner and a leader. I use a lot of AI tools in my daily workflow — whether that is handling email or building a small utility to give me an on-demand status update across our entire stack without wasting anyone's time. Five years ago I thought the job would involve a lot more PowerPoint and a lot less terminal. Now it is all terminal, no PowerPoint.

Alan Luk: And for the audience — Nick is also an avid runner. We have run half marathons together, and somehow he is always in a great mood at the end.

Amir Niaz: I am Amir Niaz, global CISO for Culligan International. We do water filtration and clean drinking water and operate in 80-plus countries. My role is basically trying to work at the speed of AI — because security protocols, third-party risk management, and everything else are struggling to keep up with the pace of AI development, including the challenge of shadow AI.

That keeps us busy in a global environment — keeping the lights on, improving the program, building the team, developing skills. AI is so new that even the vendors and startups we work with are challenged by the talent gap. Every person on my team must spend around 25 percent of their time learning tools, playing with agents, creating something, and innovating. We have moved away from PowerPoints and BI dashboards entirely — it is all real-time data now, which creates new challenges around prompt engineering, insider threat, and data exfiltration.

Something fun: I enjoy wine. Researching wines and getting on waiting lists for bottles I really want — that is my version of fun. My background is similar to Craig's in some ways: I was in Afghanistan in 1988 to 1989. My IT career started with radio signals, then evolved into business, then into IT and security. I once wanted to be a board member somewhere, and now I am presenting to the board — so one way or another, I got there.

Alan Luk: Amir, follow-up: how aggressive has the push been to adopt AI at Culligan, and what support has the company provided to help the team level up?

Amir Niaz: The message from the board and leadership is clear: do something with AI. The tier-one approach has been productivity tools like Copilot and ChatGPT-type tools. Then you have point solutions from vendors claiming to solve one specific problem — financial close, marketing calls, tech support. Those are moving fast.

Where we are focusing is on automating the tier-one and tier-two support workloads. The 80 percent of help desk calls that used to be handled by humans — password resets, equipment requests, standard support — can now be handled by AI agents around the clock. That creates free time for our people to invest in learning AI more deeply and becoming real partners to different business units, helping them implement AI in a secure way. Marketing teams, for example, often do not know what problem they are trying to solve — they are just listening to vendors. If I can develop our internal IT team to be that trusted partner, they can help the business adopt AI thoughtfully.

Alan Luk: First question for the panel. We will go in reverse order — Amir, Nick, then Craig. What was the biggest disconnect you experienced between what you thought the CISO role was going to be and what it actually was? Or, if you have been in the role a long time, what has changed most significantly about what you are responsible for?

Amir Niaz: When I started about five years ago, we were a smaller business — around $600 million, privately held — and the goal was to design a security posture that was fit for purpose. We were doing a lot of M&A, over a hundred acquisitions a year, so we needed to build a rinse-and-repeat process. It was one inch deep, one mile wide — finance, marketing, data all pushed down and integrated on a 190-day post-close timeline. Nobody looked too deep. It was about speed.

What has changed is that now we are asking: why do we have this many ERP systems, this many CRM systems? How do we consolidate, simplify, build automation? Any AI tool requires data, and data cleanliness, data oversharing, and identity issues are all coming home to roost now. The focus has done a complete 180 — from building fast to cleaning house and making everything ready for the future.

Nicholas Muy: The biggest disconnect for me was actually a positive surprise. The role has continued to be a lot more technical than it is political — and that is what I wanted. Sure, there is still stakeholder management and budgets, especially at a startup where you are competing for resources. But I set clear expectations with the founders when I joined: I am not going to build an enterprise security program for a 200-person company, but I do want to build a fit-for-purpose program aligned to the actual business need.

What I did not fully anticipate was the people and change management component. With the adoption of LLM coding agents and everything that has come with that, there is a constant demand for everyone to get their hands very dirty — committing to PRs, building utilities, being self-sufficient, living off the agents. Some people on the team rise to that with excitement. Others need more support and nudging to navigate the change. I spend a meaningful amount of time on that, even at a startup, more than I expected.

I also came from the federal side — I started at Homeland Security in Washington DC, and before that at the City of Seattle. Back then, a lot of the job was justifying why security should even exist. I spent 90 percent of my time on board decks and update documents. My strong preference for the terminal over PowerPoint was already set well before this role.

Alan Luk: Craig, same question — biggest disconnect?

Craig Riddell: Nicholas nailed it: defining expectations for the role upfront is something that is not done nearly enough. Too often CISOs are doing things they may personally value but that are not actually what would benefit the business most.

I am also seeing more CISO and CIO roles being combined, which I think reflects the shift toward a security posture that is more deeply integrated with AI transformation. A lot of burnout in this role comes from that misalignment — more work than can possibly be done, with direction that does not align to what the board or the business actually needs. The CISO is often held fully accountable without the authority to actually make things happen. That caught me by surprise: how much of a diplomat you have to be, and how much time goes into explaining cyber risk to people who may not have a foundational concept of it. That part is improving, but it is still a real source of friction.

Alan Luk: Let us talk about leadership pressures and burnout. The average CISO tenure is around 18 months. Where does burnout typically originate?

Amir Niaz: It is all of the above, but mostly the speed of AI and the expectation that security is the department putting roadblocks in front of innovation. There is real pressure on that. The AI RMF — with its measure and map framework — has 50-plus controls to validate. That alone is a significant load.

What concerns me most is the question of accountability. When we are humanizing AI and embedding it into core business processes, if something serious goes wrong — if an agent exfiltrates data, if authorities come calling — who is sitting in the hot seat? That is why at Culligan we have built a committee. The risk understanding is not just the CISO's anymore. There is legal risk, there is cyber risk that cyber insurance needs to understand, there is board-level sign-off on AI onboarding processes. The board conversation has changed completely — they are no longer asking about patching rates or MDR deployment percentages. They are asking about how much the business can absorb if there is a major incident, what the impact would be on material controls, and how we are navigating global regulatory differences like the EU AI Act versus state-level AI laws in California and Utah.

The message is: do it fast, but do it carefully. Walking that rope every day is where the pressure lives.

Craig Riddell: I would echo what Nicholas said earlier about expectation-setting. Burnout comes from misalignment. There is more work than can possibly be done, and if the security office and the board are pointing in different directions, the CISO ends up working very hard on things the business does not actually care about. And they are being held accountable without the authority to drive change. That is an exhausting place to live.

Alan Luk: GRC question, since that is my world. On org structure: as a security leader, would you prefer having the GRC team report into security, or somewhere else like legal? What are the pros and cons?

Craig Riddell: I do not have a strong preference on where it sits, as long as we do not fall into the trap of thinking that being compliant equals being secure. We should be driving toward a security posture that works for the business, not just checking compliance boxes. Wherever the GRC function gives us the most accurate reflection of real risk is where I want it to be.

Nicholas Muy: At Scrut Automation, GRC has always sat within security, and that makes sense to me. In an organization like mine, I am not responsible for internal audit — that separation exists at larger companies where there is an independent third-line function. GRC and infosec are both part of the management team. Our incentive is to make sure the program actually works, not to sit in an ivory tower auditing things. If auditors are asking for things that do not make sense for our business architecture, I am comfortable pushing back and explaining our setup. My job is to solve the business problem, and if there is no business, there is nothing to secure.

The higher risk tolerance that comes with that mindset has to be paired with real controls. We have deep endpoint visibility across every employee device. We do not have ten ServiceNow tickets to onboard someone. When something like an NPM compromise comes out, within an hour of the IOCs being published, I am looking through everyone's laptops, pushing blocking rules, examining running processes. Confidence in your controls is what allows you to take the right risks.

Amir Niaz: At Culligan, compliance sits with the internal audit team and works in close partnership with cybersecurity. The tools overlap — what we use for compliance feeds into the ERM program — and we essentially audit the auditors, validating their findings and helping improve the underlying processes. It is separated but hybrid. When findings come in, we run them through multiple thresholds — is this a critical application, is it externally facing — and assign priority from there. Most of the time my team and the audit team are aligned. The friction usually comes around OT environments, where segmentation and compensating controls are the only real options and one side calls something a red flag while the other says the risk is adequately mitigated.

Alan Luk: For viewers who may be thinking about stepping into a CISO role for the first time — what are the early cultural indicators that security will not truly be aligned to business priorities? We will go Craig, Nick, then Amir.

Craig Riddell: If security is only brought up in the context of compliance and audit conversations, that is a strong signal it is not a true strategic priority. And beyond that: define success for the role with your stakeholders before you accept it. What type of program do they want you to run? Are you here to fill gaps or to build strategy? Are you aligned with business partners or just managing certifications? Those two questions will tell you a lot.

The definition of success has changed significantly over the years. Before, it was maturity curves, compliance scores, keeping bad actors out. Now the assumption is that sophisticated actors can find a way in — the question is how quickly you can detect and respond to limit what gets out. CISOs need to get as close to the business as possible and be part of design and build, not just a checkpoint at the end.

Nicholas Muy: There are so many red flags to watch for. One of the easiest to check: find out what compensation increases the security staff have received over the last few years. If the team has seen essentially zero increases over two, three, or four years, that tells you how the organization actually values security — regardless of what they say in interviews.

Also watch for euphemisms. Nobody will tell you outright that the job is a mess. They will make everything sound exciting — the company is growing, the opportunity is enormous, the team is ready to level up. Your job is to read between the lines. Ask whether the founder has ever spoken to the person who was in the role before you. Ask what happened to that person. Ask to talk to people on the security team directly, and ask around — it is a small industry and you will likely know someone who knows someone on that team.

That is not to say you should avoid those situations. At certain points in a career, walking into a rebuilding job and flipping it is a great way to make your name. But you need to go in with eyes open, not because a recruiter made it sound like the role of a lifetime.

Amir Niaz: Ask about business priorities and challenges upfront, and do not limit those conversations to the person you are reporting to. Ask to speak with business unit owners — marketing, manufacturing, whoever is relevant. Ask when the last penetration test was done. Ask what the cyber insurance situation looks like. A major red flag for me is when the answer to every question is everything is fine, we just need someone to quarterback this. That is a signal to ask more.

At the same time, you do not want to come across as afraid of a challenge. The question is whether the security budget is growing at the same rate as the business, or whether it has been flat while the business doubled. Ask about your path — will you have visibility in front of the board and audit committee? Are you presenting directly or going through intermediaries? Those things matter for your ability to actually do the job.

Alan Luk: Let us talk about skills. What roles or capabilities do you see the CISO evolving more toward, compared to the traditional role?

Craig Riddell: It is getting much more tied to business decisions. The attacks we are seeing now are not just exploiting known vulnerabilities — they are exploiting bad business logic, wallet jacking, and other things that require a deep understanding of what the business is actually doing. That is the partnership the modern CISO needs to cultivate.

The old ways of securing an enterprise are quickly becoming outdated as we move toward an agentic workforce. And beyond the technical piece: learn to be curious. We want everyone in the business to care about security, but we often forget to care about their functions. If I genuinely care about what you do, you will more naturally care about what I do. Learn to be a diplomat, not just a defender.

Amir Niaz: The CISO is becoming more of an enabler. We are no longer just the people who patch holes — we are getting involved earlier in the process, asking why we are doing certain things, what the value is, what the ROI looks like. We are sitting in the starting phases of projects, thinking about business direction two years out.

I also think the CISO role is moving toward a broader governance function. The CISO is not going away — there will always need to be someone who carries the accountability when something serious happens. The challenge is making sure you have clarity on your tolerance thresholds, your board alignment, and your governance model. The SEC has been trying for two years to change how organizations measure this, but the function itself is not disappearing.

Nicholas Muy: I would add: AI tools and agents are replacing tasks, not roles. Every vendor's marketing will tell you they are replacing a role — but they are doing that by defining the role as a single task. A SOC analyst is not just triage. That was just the most time-consuming part. There is a lot of other work that got lost because that one task was so overwhelming. The other work still needs to get done.

There is also a real question about the pipeline for developing the next generation. If an AI tool absorbs all the tier-one triage work that a junior analyst used to do, how does that analyst build the judgment and experience they need to eventually manage the tools and tackle the harder problems? The answer is not that they do not — it is that they will build that experience working alongside the agents, providing feedback, improving the models, and doing more advanced work earlier. There are not going to be fewer people needed in security. There is going to be more work, as there has been every single time a major technology shift has happened.

Alan Luk: Amir, what AI tools is your team using on the security side, and where do you see the first areas of role evolution?

Amir Niaz: We are using vibe coding tools — a bit of Windsurf and Lovable — but nothing too extreme internally yet. Our SIEM and SOC platform has very good AI models, particularly for reducing the time between finding a vulnerability and an exploit. We are leaning on behavioral analytics to detect threats faster across the portfolio and scan logs at a speed that was not possible before, acting on threat intel automatically.

On replacing people in security — I do not see that happening yet. We actually need more people right now to get in front of this and develop AI skills. Where I do see automation making a real dent is on the IT operations side — level-one tech support type functions that can be handled by agentic AI.

Alan Luk: Craig, same question — AI tools you are using and what changes to resourcing and responsibilities it is causing.

Craig Riddell: No real reduction in headcount, just a lot of reprioritization. The increase in productivity when you apply AI to coding and code review functions is significant.

From an AI security standpoint, we are building toward full visibility — not just what comes in and out of the environment, but east-west traffic, which becomes increasingly critical as organizations deploy MCP servers and agent-to-agent workflows. Most organizations I work with have great north-south visibility but limited east-west. We want to follow identity and traffic all the way through, regardless of whether it is human or agent-to-agent, and build drift detection between expected and actual workflow behavior.

When a major technology shift comes — cloud, widespread computing, now AI — the first job is always getting back to basics. Remove shadow assets, understand what is actually running, and then tighten things down from there. There was not less work when cloud came out. There will not be less work now. What happens historically is work intensifies for certain things and reprioritizes for others — and then we invent entirely new categories of work to fill the space.

Nicholas Muy: Agreed. I use Claude Code and Cursor primarily, along with Gemini since we are a Google Workspace shop, and local models in LM Studio for experimentation — things like Gemma. There are a lot of utilities I need where the answer is not a full application but something small that can pull together context from Sentinel One, JumpCloud, and Google Workspace simultaneously so I can just get my answers without logging into each platform separately. I have built agents for exactly that.

On the AI security side, our MDR provider is AI-native and that has been very effective for scaling without building out a full internal SOC function — something that would have cost significantly more to do at the scale we are operating.

The fundamental point on roles is this: products are replacing tasks, not roles. The proof is that even the tasks we thought were the whole job — like a SOC analyst triaging alerts all day — turn out to have had a lot of other work attached that we just overlooked because the triage work was so consuming. Now that the triage is handled better, we remember that there is a real job underneath it. That job still needs to get done. The people doing it will just be working at a higher level, sooner.

Alan Luk: Closing round — what resources do you each rely on to stay current? Books, podcasts, people you follow? We will go Amir, Craig, then Nick.

Amir Niaz: A couple of podcasts I listen to regularly: Security Daily and the AI in the Works podcast. I also subscribe to CISA advisories — they send email summaries of current attacks, IOCs, and who is getting breached, which is genuinely useful. There are also private WhatsApp groups among CISOs — invitation only — where people share real-time internal details. Between all of that, it keeps you pretty busy.

Craig Riddell: Go to your AI tool of choice — Claude, ChatGPT, whatever you prefer — and give it a simple prompt: acting as a prompt engineer, refine the following and ask me some clarifying questions. Then tell it your role, your stakeholders, and what you care about. Have it generate a daily briefing for you. That is what I do every morning. Coffee, open my calendar, and the briefing tells me what meetings I have, what relevant news events happened overnight, gives me summaries of key LinkedIn posts, and surfaces the most relevant information for the day. Get curious with the technology, get comfortable using it, and it will route you to the right streams of information for your specific role.

Nicholas Muy: I will not repeat what everyone else said. My advice is to go outside your comfort zone and seek out writing that actually challenges your thinking. There is a journalist named Jasmine Sun, based between San Francisco and DC, who writes at the intersection of tech, policy, and AI — very relevant for CISOs navigating this environment.

My broader point: do not try to consume everything. Most news is noise. Most LinkedIn posts are AI-generated noise. A lot of briefings are just AI summaries of AI summaries. There is no value in spending your time as a human processing information that an LLM can process for you. The value you provide as a CISO is your judgment on the difficult, thought-provoking, hard-to-summarize things — how is this going to change the business, where should the security program focus, what does this mean for my specific industry. Spend your time there. Let the tools handle the encyclopedic stuff.

Alan Luk: I noticed none of you mentioned conferences.

Nicholas Muy: You just go for the steak, Alan.

Craig Riddell: It is basically just a big happy hour.

Alan Luk: All right, we are going to wrap it up, gentlemen. I really enjoyed this conversation — thank you for the candid stories, honest perspectives, and real insights. I am sure our viewers appreciate it too. Grace, close us out.

Grace Gately: What a great conversation. Amir, Nicholas, and Craig — thank you so much. The CISO role keeps expanding, and today made it very clear that succeeding in it takes deep security expertise, strong business alignment, and the ability to lead through constant change. Alan, thank you once again for leading such a strong discussion and for being such a consistent part of this webinar series. And to everyone who joined live — we really appreciate it. The replay will be available shortly after we wrap, so feel free to share it with anyone in your network who might benefit. Dune's next webinar is this Friday, covering the topic of controlled chaos. We hope to see you there. Thanks, everyone — take care.