“It’s so important that the CISO gets a seat at the table”: a Q&A with Trace3’s Gina Yacone

Published on September 2, 2024

A leading voice in cybersecurity, Gina Yacone is a trusted advisor to senior security leaders, guiding them through emerging trends and recommending strategies to strengthen defenses. She was also recently named Cybersecurity Woman Volunteer of the Year 2024.

As regional and advisory CISO at the elite technology consultancy Trace3, she also participates in the Trace3 AI Center of Excellence (CoE) Champion Program, keeping her at the forefront of AI and security innovation.

With the role of CISO growing more complex by the day, we sat down with Gina to discuss how security leaders should navigate their newest set of challenges, including those posed by generative AI.

The role of CISO is constantly changing. Can you talk about some of the biggest changes that you’ve seen in your career?

If we think about the threat landscape, even 10 years ago, we were still working with that castle-and-moat mentality in our on-premise data centers. Now, we're essentially borderless. We've undergone cloud migration and adopted hybrid cloud environments, and our systems are dispersed across various SaaS platforms. It's becoming increasingly complex.

In addition to that, the phenomenon of generative AI has lowered the barrier of entry for bad actors - they're becoming more sophisticated with their attacks.

CISOs really have to work hard to stay relevant. Every day, you have to learn. You need to look at your environment holistically, understand where your blind spots are, pay attention to both the known and unknown threats, and make sure those unknowns don't come back to bite you.

If you're not leveling up - by leveraging good partners, technology, and overseeing strong teams and processes - while staying informed on tech trends, you're falling behind.

And if we look at what the SEC requires of enterprises, and by default CISOs, they really want roles and responsibilities clearly delineated. Enterprises cannot just let CISOs be responsible for everything. The SEC wants it more refined, with a thorough understanding of who's on first and it cannot be one person.   

Thinking about generative AI and machine learning, how’s that going to impact the CISO role? For example, should the CISO oversee AI for the whole organization?

CISOs should have a seat at the table. But where does the CISO sit on the organizational chart? Where does the CISO fit in projects in general? Where does the CISO stand in terms of vendor due diligence? These aspects have been evolving significantly over the past one to ten years. However, there is a lot of progress still needed. For me, I see a convergence between infrastructure and security. So, where will the org chart land for the CIO, CTO and CISO? Interesting topic to debate! 

Security used to be known as 'the department of no,' but it's time for it to evolve into a true partner, collaborating with both internal and external stakeholders to drive success together.

Not only do CISOs need to understand the risks, but they need to understand how to actively communicate with all levels of the organization.

It’s so important that the CISO gets a seat at the table, in terms of creating an AI Center of Excellence, especially when we're thinking about the increased security risks. It's not just about the bad actors knocking on our door, but it is also securing all layers of the LLM (large language model), as well as securing the automation behind it - think holistic aspect of the AI lifecycle, not silos. 

How do organizations and security leaders go about building an AI center of excellence?

At Trace3, we've invested multiple millions in our AI Center of Excellence. We acquired a data company this year, which contributed to the already impressive exponential growth within our data business unit. Additionally, we established a data security fusion team. Our efforts in these diverse areas are crucial for driving innovation and ensuring the safety of our customers.

We are forever learners at Trace3. Currently, all of our workforce is taking some type of certification track so that we can utilize AI in our everyday vernacular. We have a Trace3 AI program, as well as many are getting executive level AI certifications from major colleges and universities. 

In today's fast-paced environment, leaders are bombarded with noise and distractions. At Trace3, our business units, especially the Innovation Team, are working tirelessly to cut through this noise by vetting technologies that align with our clients' goals and missions.

From a security standpoint, data protection is paramount. While we can minimize distractions, the core principles of IT best practices remain unchanged - we must safeguard our data. This requires us to be proactive, stay informed, and continually educate ourselves on emerging threats and innovations.

What do you think CISOs should be prioritizing when it comes to governance, risk, and compliance for AI? 

Security leaders should consider establishing an AI security, risk, and privacy committee. It's crucial to carefully select the right stakeholders and leaders to be part of this committee. 

This committee would focus on understanding the organization’s strategic initiatives to determine where their efforts should be directed. While AI is a significant focus, it's important to remember that overall enterprise security, risk, and privacy concerns must also be addressed daily.

By forming this committee, we can improve AI vendor due diligence. When someone within the organization proposes a new AI technology or productivity tool, committee members - who are engaged in continuous education - can provide valuable insights.

If the organization is developing its own large language models (LLMs) or adopting tools like Copilot(s) or ChatGPT Enterprise, the committee can thoroughly assess the impact on people, processes, and technology. Additionally, the committee plays a critical role in educating the enterprise, ensuring everyone is aware of what's next and that security is a key partner in these initiatives.

The security vendor due diligence process has long been established, but it now needs to be adapted to align with new AI frameworks. It's also essential to weigh the risks associated with introducing AI into the organization, as transparency and truthfulness are vital in this process.

Additionally, As AI becomes more integrated into business operations, it's imperative to develop and adopt AI-specific security and risk frameworks. These frameworks should be tailored to address the unique challenges posed by AI technologies, such as algorithmic biases, data integrity, and - of course - the potential for malicious use of AI.

The committee should lead the development or adoption of these frameworks, ensuring they are aligned with existing security protocols while also addressing the novel risks introduced by AI. This includes establishing guidelines for secure AI development, deployment, and monitoring, as well as creating standards for vendor assessments and third-party AI tools.

Moreover, these frameworks must be dynamic, evolving alongside advancements in AI technology. Continuous monitoring and updating of the frameworks will help ensure that the organization remains resilient against emerging AI-related threats. The focus should be on maintaining transparency, accountability, and ethical standards in all AI initiatives.

Building an AI security committee isn't just about tech. It’s about choosing the right people, asking the right questions, and staying ahead of the risks. It’s where strategy meets security, and innovation meets integrity.

When it comes to communicating with other members of the C suite, what do you think is key to a CISO’s success? 

What's truly remarkable today is that CISOs have to not only be technically proficient but also business-minded - someone who can effectively engage with C-level executives and board members but also the keyboard warriors (the engineers). 

Understanding the "why" behind the board’s decisions, your peers' motivations, and the strategic roadmap is crucial. The key to this understanding lies in actively listening, being a strong partner to your peers, and leaning into conversations - skills that are often underutilized.

I often find myself asking, "Explain it to me as if I were a three-year-old. Why is this important?" It's about breaking down the significance of an issue for different audiences: Why does this matter to an end user? Why is it critical for the CTO? Why is it essential for the board?

The ability to clearly articulate these 'whys' and champion them across the organization is vital. Strong communication skills are essential to this process, ensuring that the message resonates with every stakeholder.

What advice would you offer CISOs looking to proactively tackle the biggest threats?

Many C-level executives often lack a full understanding of the risks they face, particularly in terms of observability and visibility. They may not realize what they don't know, which is a significant challenge.

Once we identify the nature of these risks, it becomes clear that the crux of the issue lies in our lack of people we have employed to solve the remediation. That's where automation platforms like Tines become crucial.

Even with an outstanding team, they're often stretched to their limits. We strive to hire people who are smarter than us, but it's equally important to equip them with the right tools to prevent, defend, and recover from threats as quickly as possible.

However, we don't always have the budget or the staff we ideally want - it's a constant challenge. Looking ahead, it's about making smart, strategic decisions daily, both in how we manage our budget and allocate resources. It's also essential to be able to justify and defend those decisions.

It sounds like you’re pretty optimistic about the future and the value that technology can add?

Yes, I am optimistic. While CISOs are often cautious about relying solely on technology, we understand its potential when used wisely. We focus on people and processes first because they are the foundation of our security efforts.

However, we also have to navigate budget constraints and policy requirements. That's why it's important to carefully choose the right tools - technology that empowers our top performers and helps them excel. These decisions are critical for driving success in the future.

Learn more about Tines. Learn more about Trace3.