7 Important Questions Facing CISOs on Bridging the Gap Between AI Threats, Supply Chain, and Cyber Resilience

A CISO’s job never ends, and, according to a recent LevelBlue survey, the issues they are dealing with on a daily basis are piling up, causing some disconnect in priorities and a misunderstanding of how to accomplish specific cybersecurity goals.

To help answer some of the more pressing questions CISOs face and to gain a different perspective on the survey’s results, we sat down with LevelBlue’s Chief Security & Trust Officer, Kory Daniels. The topics were wide-ranging, shifting from AI to supply chain threats to instilling resiliency within an organization.

Daniels originally covered these topics in the recent LevelBlue webinar “A CISO's Guide: AI Threats, Supply Chain Risk, and Security Leadership” so please check out the replay for more in-depth answers.

1. What specific actions have you seen in the last 12 months that support the modernization of security postures?

Kory: There are several contributing factors, both from the report data and from the communities we engage with. One major transition is the evolving importance of EDR (Endpoint Detection and Response). Over the last 12 months, we’ve seen the rapid adoption of Artificial Intelligence agents acting inside the environment to bolster these defenses.

As organizations diversify and grow, there is a new emphasis on detection and response capabilities that go "above and beyond the endpoint." While many started this journey years ago, the last year has seen a spike in Identity Detection and Response (IDR). This is driven by concerns over non-human identities and decentralized workforces. Security leaders are now asking harder questions about the performance of their current tools and seeking a "socialized understanding" of what XDR (Extended Detection and Response) really means for managing business risk.

2. When it comes to resilience, where are organizations succeeding and where are they falling short?

Kory: Success often hinges on governance, which can act as either a "tailwind" or a "headwind." When governance acts as a tailwind, it provides executive support and guidance, allowing the business to have clarity on which assets and applications require high-performance resilience. These successful organizations utilize Business Impact Analysis (BIA) tools to illuminate a common understanding of digital ecosystem risk.

The goal is cross-functional buy-in. Security shouldn't be a "paper tiger" created for its own sake; it must link investments and labor utilization directly to key business processes—ensuring the uptime, availability, and integrity of data. Conversely, programs fall short when governance is a headwind. This happens when security feels like it’s "on an island," leading to practitioner burnout and a feeling that their voices aren't heard when requesting necessary people, process, or technology investments. The launch of the NIST CSF 2.0 framework from CISA over a year and a half ago did some amazing things that we're seeing in the data the survey revealed. But also through community engagement about the importance of governance as a standalone category.

3. The survey indicated that almost half of CISOs expect an AI-powered attack to happen in the next year, but only 29% say they are properly prepared. Is it possible for a CISO to quickly boost an organization’s AI defense capabilities, and if so, what are the best steps to take?

Kory: It is 100% possible to boost capability quickly, but the question is where to apply the pressure. Threat actors are using AI "openly and freely," without the confines of compliance or audit, to create malicious code and enhance social engineering.

To counter this, focus on "Sweat Equity" over massive capital spend:

• Education as a Human Defense: Threat actors are leveraging AI to increase both the volume and the "fidelity" of phishing. They use personal details from LinkedIn or X to increase click rates. You need a "drumbeat" of security awareness that goes above and beyond annual compliance.

• Continuous Testing: You can’t just wait for an audit. Implement Continuous Threat Exposure Management (CTEM). Take your red team scenarios and tabletops further by assuming a breach has occurred. Find the weak spots in your externally facing environment and identify where you need "defense in depth" before the attackers find those hot spots for you.
  
  

4. In contrast, while many CISOs see AI-powered attacks in their future, a significant number are still somewhat blind to supply chain threats. Only 31% said the biggest security risk they face today could come from within the software supply chain. Why do you believe so many CISOs take this position in light of all the high-profile and extremely costly supply chain attacks that have taken place over the last several years?

Kory: It's a massive challenge because of the element of Trust. To have universal clarity into third and fourth-party risk for every vendor would require a massive increase in headcount. Many organizations have been "conditioned" to believe that the vendor risk process begins and ends with compliance—treating a SOC 2 or ISO 27001 as the ultimate gating factor.

But there are gaps in those questionnaires. You need deeper telemetry. We are seeing programs push for more one-to-one relationships with Tier 1 vendors to ask: "What EDR do you have? What critical technologies are you using to keep us safe?" Since there is often no mandatory regulatory requirement to answer these deep technical questions, the relationship of trust becomes the primary vehicle for ensuring that a vendor's incident response program aligns with your own.

5. Sixty percent of the survey’s respondents said their leadership team does not understand cyber resilience and that there is also confusion over who is responsible for instilling cyber resilience. First, who should lead the charge in building resilience into an organization, and how does a CISO convince executives that the investment is worth making?

Kory: Cyber resilience must ultimately funnel through to the Board of Directors. Whether an organization is in healthcare, finance, or tech, the focus is "customer first," and the dependability of services is more fundamental than ever.

However, you shouldn't let organizational structure constrict your leadership. While the CEO and Board are accountable, anyone, the CISO, CIO, CTO, or a GRC leader, can be a resilience champion. It’s about communicating the current state of your posture in a way that resonates with senior leadership. Resiliency is a topic that security or IT cannot do alone; you must "federate" the conversation across business units to move the needle, regardless of where you sit on the org chart.

6. How can a security team elevate when they are not connecting with the business stakeholders, and how do you rectify that situation?

Kory: Culture change is hard and won't happen like a "light switch," but you can start by identifying champions. If you don't feel heard by the senior leadership, General Counsel is a phenomenal place to start.

Building a relationship with the legal team helps you articulate the "defensibility" of your current actions. Other potential allies include the Head of Risk, the CFO, or the CHRO. Once you have these champions, facilitate a Crisis Simulation or Executive Tabletop. Bringing the leadership team through a "day in the life" of a business crisis is an illuminating moment. It helps individuals who didn't think they had a role in cyber realize that they actually do, especially regarding crisis communications and business continuity.

7. How do you create culture change throughout an organization? Is it easier to change the average employee’s mindset when it comes to cybersecurity or executives? How do we get them on board?

Kory: Thank you for raising that point, because sometimes I think we get overly focused on the need to influence just business executives. We think, “we need more board buy-in! We need the top to get behind us!” However, getting clarity through the entire cyber culture of the organization is just as important. Now, depending on the size of your business, this may be a challenge, but aspirationally, there are vehicles that can take us there.

For example, moving from an annual to a monthly phishing program, finding new and interesting methods to engage the staff, and creating a safe space where employees can ask their questions regarding cybersecurity.

This last point is very important. As a company, we spend a great deal of time reviewing and launching new cybersecurity policies, but chances are, many staffers only review these policies as part of their annual compliance and security review. So, they need a place during the rest of the year to ask questions to educate themselves.

For more information on these and other CISO concerns, please check out our webinar “A CISO's Guide: AI Threats, Supply Chain Risk, and Security Leadership.”