Baltimore Business Daily News

collapse
Home / Daily News Analysis / The CISO selling confidence in a market full of breach headlines

The CISO selling confidence in a market full of breach headlines

Jul 13, 2026  Twila Rosenbaum 13 views
The CISO selling confidence in a market full of breach headlines

Engineering teams across enterprise IT are writing their own software with AI coding assistants, spinning up agents that act on their behalf, and assigning those agents the same access privileges their human creators hold. The shift has pulled the role of the chief information security officer (CISO) into territory that did not exist two years ago. Speaking at the Span Cyber Security Arena conference, Hrvoje Englman, CISO at Span, said it is changing what defenders worry about most.

Span’s workforce includes a sizable population of developers alongside a larger group of engineers. The engineers are the new variable. With AI-assisted coding, they are building applications and personal agents to automate parts of their own jobs. Each new agent inherits the identity of its creator, and those identities are typically over-provisioned. Least privilege remains an aspiration that is hard to enforce in production environments.

“I cannot be the blocker,” Englman said. “You cannot block progress. People will find ways around it.” His priority is enabling secure use of AI inside the company rather than prohibiting it.

The bus-factor problem multiplies

The risk extends beyond access control. When a single engineer automates a business process using five interacting agents and then leaves for another job, the organization inherits an undocumented system that nobody understands. Englman called this an inversion of the traditional bus-factor problem. Previously, a key person leaving created a knowledge gap. Now the agents they built keep running, and the company has no record of what they do or why.

This phenomenon is accelerating as more employees adopt AI tools without central governance. According to industry surveys, over 60% of organizations now report that employees are using unsupervised AI assistants for code generation, and fewer than one in three have inventory controls to track those outputs. Without formal discovery and documentation processes, enterprises risk accumulating a shadow network of automated processes that can fail, expose data, or create compliance violations long after the original author has departed.

Englman recommended that security teams work with human resources and IT operations to establish a formal offboarding process that includes not just disabling user accounts but also scanning for and decommissioning agents associated with that identity. Some organizations are beginning to require that any AI-generated agent be registered in a central repository, with a documented purpose and owner. However, enforcing such policies in a culture that prizes speed and innovation remains difficult.

Defender’s leverage is real, with limits

AI has produced concrete gains in defensive work. Englman pointed to log analysis as one area where the value is immediate. Feeding hundreds of megabytes of log files into an AI tool and asking it to surface anomalies or pivot on an IP address compresses work that previously took analysts hours. Policy drafting is another use case. Generating a first draft from internal context can cut a three-day task to a single day, and the time savings compound across a workforce.

He drew a sharper line on the vendor pitch for autonomous AI-driven security operations centers (SOCs). The idea of defensive AI battling offensive AI in real-time, with no humans in the loop, does not match what is achievable now. Log ingestion remains the hardest part of running a SOC, and detection engineering still depends on people who can explain why an alert fired.

“You get an alert, but your analyst doesn’t understand the alert,” Englman said, describing the failure mode he sees in teams that lean too heavily on automated tooling. “And you have two million alerts, and then what?” Autonomous isolation of systems remains out of reach because the AI does not understand the business process. Decisions about when to shut down a critical service get escalated to senior leadership during real incidents, and that judgment stays with humans.

He also pushed back on the industry framing of breaches. Most of the largest incidents trace back to phishing and credential theft. Vendors selling AI-powered SOCs as a defense against nation-state actors are addressing a smaller part of the problem than their marketing suggests. The Verizon Data Breach Investigations Report consistently shows that over 80% of breaches involve the human element, with stolen credentials being the most common entry vector. Investing in basic hygiene — multi-factor authentication, patch management, and user awareness training — often provides more risk reduction than a sophisticated AI platform.

The threat model for a services provider

Span sells IT services to enterprise clients, which doubles its exposure. The company is a target in its own right and a target for attackers seeking access to its customers. A typical end-user organization can absorb a breach and recover. For Span, the response itself becomes the product on display.

Englman said the company has to be able to demonstrate that controls were in place, that the failure was contained, and that the incident was handled with the same discipline it offers customers. Reputation is what gets sold, and negligence would end the business. This reality forces Span to maintain rigorous incident response playbooks, conduct regular tabletop exercises with both internal and client stakeholders, and invest in detection capabilities that provide early warning across their entire managed infrastructure.

Third-party risk management has become a board-level concern, with regulators increasingly holding service providers accountable for breaches originating in their environments. The SEC’s cyber disclosure rules, for example, require public companies to describe their processes for assessing and managing material risks from third-party service providers. For a firm like Span, that means every control failure is potentially a matter of public record and shareholder loss.

Skills shortage, restated

The widely discussed cybersecurity talent gap, in Englman’s view, is misframed. Entry-level applicants are abundant. Senior practitioners with five or more years of operational depth are scarce, and that gap cannot be closed quickly through training programs. The Span Cyber Security Center has trained more than 3,000 people, and Englman said the pipeline matters precisely because the industry’s push toward automated tooling threatens to eliminate the junior roles where future experts get built.

His measure for a SOC analyst centers on whether they can explain what the alert means and how the conditions that triggered it came about. Without that understanding, an analyst rolling a fifty-fifty guess on relevance is no better than a model doing the same. The industry needs to maintain a path for newcomers to develop intuition and deep technical skill, rather than relying solely on automation that abstracts away context. Program like Span’s training initiative aim to rotate analysts through different security domains — threat intelligence, forensics, incident response — before specializing, building the cross-functional understanding that senior roles require.

Englman also noted that many organizations underestimate the time needed to develop a senior analyst. It is not uncommon for a new hire to require 12 to 18 months before they can independently handle complex investigations. During that period, mentorship and exposure to real incidents are critical. Cutting that short by leaning on AI triage tools may produce short-term efficiency gains but creates long-term fragility, as the institutional knowledge base erodes.

The wisdom he has discarded

Asked which piece of conventional security wisdom he has stopped believing, Englman named the framing of humans as the weakest link in the chain. He called it lazy and a form of blame culture. The responsibility, he said, sits with the CISO to build systems where a user clicking a malicious link does not bring the environment down. Brittle defenses that depend on perfect human behavior are a design failure.

Instead, security leaders should assume that humans will make mistakes and architect controls that absorb those errors without catastrophic failure. This means investing in network segmentation, robust backup and recovery procedures, and continuous validation of user permissions. It also means fostering a culture where employees feel safe reporting mistakes without fear of punishment, so that operational weaknesses can be addressed before they are exploited.

Englman’s perspective reflects a broader shift in the security industry toward resilience over prevention. No system can be made impervious to determined attackers, but organizations can design to limit blast radius and recover quickly. In a market saturated with breach headlines, the CISO’s job is to sell confidence — not that breaches will never happen, but that the organization is prepared to detect, respond, and learn from them without losing the trust of customers and stakeholders.


Source:Help Net Security News


Share:

Your experience on this site will be improved by allowing cookies Cookie Policy