Jeremy Powell is a cybersecurity executive whose career has spanned nearly three decades across engineering, product, and security leadership.
Powell has held CISO and CTO roles at LockThreat GRC, Zyston LLC, and Verint, with earlier experience in private equity, public-company security, and building data centers globally. He has also published widely on security leadership, including the LinkedIn Pulse article The CISO Exodus, which argues that CISOs aren’t burned out, they’re structurally set up to fail.
Powell is Chief Information Security Officer at Sumo Logic, having joined the company around a month before we conducted this interview. Sumo Logic is a cloud security analytics platform, where he focuses on consolidating fragmented programs, governance maturity, and the role of agentic AI in modern security operations.
We spoke to Powell as part of our ongoing series interviewing cybersecurity professionals to bring you their unique insights into cybersecurity today, the challenges they are facing and the realities of what it takes to defend complex global environments.
What cybersecurity challenges are you and your team focused on right now, and how do you set them up for success in dealing with them?
Some of the challenges we’re seeing are AI-related, but mostly it’s about fragmentation, which is what you’d expect after Sumo’s meteoric rise, going public, and being taken private. That’s normal in any organization but maybe amplified here.
That means consolidation and trying to get a better signal-to-noise ratio across the organization. We’re also maturing the program from where it is today. It’s not that you step in the door and things are bad; it’s just, how do we refine this? How do we update it? How do we make it more efficient?
The second point is AI. When you walk into a role like this, especially right now, you have so much investment and internal pressure to execute against a strategy, and you need to make sure that strategy is effective. We’re looking at how we automate, how we make governance more effective, and how we consume our own product. One unique thing about Sumo is that our security team is essentially patient zero; we test everything live from what’s shipping out of product development, which is an interesting dichotomy.
What impact do you see new technologies like AI having on your day-to-day? Do you see AI having a long-term impact?
AI is structural. It’s a genre-defining technology, and it’s going to change just about everything. I have two children in college, and the proliferation of LLMs in their schoolwork is staggering. The technology is allowing capability we haven’t seen before and giving us speed of execution.
There are a couple of instances in the industry that illustrate this. Palo Alto’s Unit 42 used agentic tooling to take a ransomware operation from end to end in about 25 minutes. That was reported a couple of weeks ago. Those types of tools allow for leverage in a pretty structural way, but the other side is adversarial: bad actors are using AI as a force multiplier against your operation.
There’s good and there’s bad. The long-term impact is that AI will structurally change everything we do, from automation to execution.
In announcing your move to Sumo Logic, you talked about “challenging the new world of agentic AI by demonstrating that we can utilize that technology to help protect our customers.” What does that look like in practice — where is agentic AI actually defensible right now, and where is it still mostly marketing?
The truthful answer from a technologist and engineering perspective is that agentic AI is a force multiplier on the analyst. With Sumo, it’s a force multiplier on the data layer too. Things like autonomous triage, enrichment, correlating signals across noisy data, accelerating an investigation, and recommending the next action are actually grounded in high-fidelity data. Reasoning is shown, there’s still a human in the loop, and that’s essentially the line where our SOC analyst agent, Dojo, sits. It recommends actions but doesn’t just throw another alert over the transom. It keeps the analyst in the driver’s seat, and you can actually measure that.
Where it’s marketing is the “lights-out, self-healing SOC.” You’re still going to need human talent for a long time; a fully autonomous SOC isn’t on the horizon.
I look at things adversarially. Show me the model, show me how it explains its reasoning, and show me how it makes a decision on a recommendation. If you can’t follow that back (which you can inside our agent), it’s essentially just noise without signal.
Will there be a point where human talent becomes superfluous? I don’t really know. I couldn’t put a time horizon on it. What I do think is that AI is going to make talented people faster, more accurate, and more efficient. That’s where I’d land the answer right now, until we see something different or a major technology leap forward.
You moved from CTO at a GRC vendor (LockThreat) back into the CISO seat at Sumo Logic. What did the product/vendor side of your career teach you about how CISOs actually use the tools they buy — and what they wish vendors did differently?
CISOs don’t buy features. They don’t buy technology. They buy outcomes. Full stop. Their thought process is: How do I reduce risk? How do I get time back? How do I become defensible to a board or an auditor? That’s the answer.
This goes back to my fragmentation point: there’s shelfware all over the place. Walk into any security program and you’ll see a quarter-of-a-million-dollar product that was implemented successfully but isn’t producing what the security organization or the CISO actually needs. There’s great tooling out there, but the question is how you translate its output into a security and business outcome.
That’s also where expectations have shifted. As a security practitioner, you’re grounded in engineering and the technical side: how threat actor A is doing attack B to produce some outcome. That’s noble and novel, but in reality, this is a business and reputational function. There needs to be proper business understanding of the impact, and frankly the blast radius, of what happens in security. That has to translate into risk for the board, the leadership team, and your financial partners, who need to transparently understand the business risk profile and how to mitigate or manage it.
That’s where the switch gets flipped: how do I take what I know is going on from a technologist standpoint and translate it into something meaningful to the CFO who’s funding the program?
In your LinkedIn Pulse article The CISO Exodus, you argued that CISOs aren’t burned out — they’re structurally set up to fail. What’s the most urgent structural fix the industry needs to make, and who’s responsible for making it?
The most urgent fix is to align accountability with authority and visibility. If you’re going to make the CISO responsible for something (and this is a phrase I use all the time), if something happens and it becomes a resume-generating event (which is the ultimate in bad: you lose your job, you have reputational damage), then you have to have an accountability trail all the way through. And you need real visibility into it.
Going back to the signal-to-noise ratio: sitting in a board meeting and saying, “Ladies and gentlemen, this is the actual issue, this is what happens if we don’t mitigate, and this is the risk we are taking,” that’s the first thing. You don’t give CISOs the hand-waving. You need ground truth and real-time visibility into what’s going on.
Who owns it? It’s shared, but honestly, in the organizations I’ve been a part of, it’s a board responsibility. The board needs to know. If you’re talking to a lot of CISOs, they’re definitely seeing more security talent, more granular investigation of their programs, and more security accountability at the board level. This started happening at large scale with public companies maybe eight or nine years ago. Now it’s just more granular and refined.
What advice would you give to fellow CISOs and industry practitioners?
The first thing I would say is: get clarity on your mandate, your authority, and the organization’s risk tolerance. Get it all in writing before you take the seat. Don’t sign up for anything you don’t know about, and make sure the leadership team is clear on what they’re agreeing to.
Two more parting shots. First, stay technical, especially in how you think adversarially. You want to think like an attacker. Do we all need to go out and get certifications? No. But you really need to understand how things work. You may not need to write the bash script yourself, but you definitely need to understand why the bash script needs to be written.
And finally, speak the business language. Technology and security are a plank to get business done. If we’re all honest with each other, no one cares about security unless you’re a security practitioner. I don’t want to be flippant about that, but it’s important to do the business: you have to generate revenue, you have to drive shareholder value. That’s why you’re there. Technology and security are a plank to make that happen, and you need to speak that language to enable the security program to work properly.
