The role of the Chief Information Security Officer (CISO) has undergone a profound transformation, particularly with the rise of agentic artificial intelligence (AI). In an interview with Help Net Security, John White, EMEA Field CISO at Torq, highlighted that accountability is now a significant focus for security leaders as they navigate the complexities of hybrid workforces where humans and AI agents collaborate closely.
As organizations increasingly integrate AI into their security frameworks, the responsibilities of CISOs have shifted dramatically. White emphasized that the emergence of an agentic workforce—where AI not only automates tasks but also provides real-time insights and responses—places a greater burden of accountability on security leaders. They must not only oversee the implementation of these technologies but also remain responsible for the outcomes, including the consequences of inaction if organizations fail to adopt and manage AI capabilities effectively.
Redefining Security Structures
In the past, security teams traditionally followed a hierarchical model, which often stifled innovation and agility. According to White, the landscape has changed significantly. “Ten years ago, every org chart looked the same, a traditional tree-like structure depicting tiers of responsibility and specialist silos,” he stated. Today, CISOs are tasked with designing and governing a hybrid workforce that includes both human talent and AI agents.
This new paradigm requires security leaders to make critical decisions about which operations can be automated and which require human oversight. The challenge lies not just in selecting appropriate tools but also in ensuring that AI agents can effectively contribute to the organization’s security posture without compromising safety.
White noted that accountability is now a central theme in the CISO role. “When an AI agent acts at scale, the CISO remains accountable for the outcome,” he explained. This level of accountability was not present a decade ago and represents a significant shift in how security leaders approach their responsibilities.
Managing Risks in a Fast-Paced Environment
The retail sector exemplifies the challenges CISOs face in balancing security with business needs. White shared experiences where the fast pace of development often outstripped the maturity of security controls. He faced situations where delaying a product launch to implement new security measures could have had a detrimental impact on revenue, particularly during peak shopping periods.
“The compromise was never ‘ignore security,’” he said. Instead, White advocated for a shift from preventive to detective controls, allowing organizations to accept short-term risks with established guardrails and monitoring systems. This approach enables businesses to make informed decisions while navigating the complexities of modern security threats.
White also expressed concerns about the limitations of quantifying cyber risks. He argued that focusing too heavily on historical data can create a false sense of security. “While quantification has value, seeking precision based on past trends may anchor discussions in technical debt rather than align leadership around emerging risks,” he stated.
CISOs must adopt a forward-looking perspective that encourages strategic innovation and resilience in their organizations. This mindset shift is crucial as security threats become increasingly dynamic and complex.
As organizations evaluate security solutions, the emphasis has moved away from merely assessing features, coverage, and integration into human-led processes. White now prioritizes whether products can operate safely and transparently at machine speed while producing positive business outcomes. He looks for technologies that can autonomously manage tasks, reducing cognitive load on teams and providing actionable insights.
“The strongest platforms can measure and report on their own effectiveness, turning security from a reactive function into a continuously optimizing system,” he added.
With attackers already operating at machine speed, organizations relying solely on human workflows risk falling behind. Security platforms are now integral to organizational design, and those who adapt quickly will have a competitive advantage.
John White concluded by stressing the importance of maintaining accountability and resilience in security measures as businesses evolve. He warns against over-reliance on large, familiar platforms, as they may not be designed for autonomous operation at scale. “The illusion of safety disappears quickly when you realize you don’t control the recovery path,” he stated, emphasizing the need for organizations to remain vigilant and proactive in their security strategies.
In an era where the threat landscape is continuously evolving, CISOs must adapt their strategies to incorporate AI effectively while ensuring accountability and resilience in their organizational approaches.
