“AI [is] accelerating both offense and defense. The question is whether defenders adopt it fast enough to keep pace” says Conor Sherman, CISO in Residence at Sysdig.
Cybersecurity professionals face one of the most challenging jobs in modern businesses: dealing with a constantly evolving threat landscape.
It is essential that these professionals find ways to effectively navigate challenges and obstacles to get their security posture to where it needs to be. Achieving this goal requires strategic vision and the ability to balance business innovation with risk management.
In this series we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today, the challenges they are facing and expect to face in the near future, the realities of what it takes to defending complex global environments, and the advice that they would offer to other CISOs and cybersecurity professionals.
Conor Sherman is the CISO in Residence at Sysdig and has over 15 years of experience leading security programs across fintech, SaaS, GovTech, and private equity environments. He currently works closely with the Sysdig Threat Research Team and CISOs to understand emerging cloud and AI security challenges, working to translate their needs into product and community impact. Conor has also previously worked on building and scaling enterprise security and threat intelligence programs. He is a regular speaker at events like RSA and Gartner’s Risk & Security Summit and is known for his pragmatic, trust-centered approach to cybersecurity.
We spoke to Conor Sherman to get his perspective on the challenges of maintaining ongoing cyber resilience. Read on for Conor’s insightful responses to our questions:
What cybersecurity challenges do your teams deal with on a day-to-day basis?
The biggest shift I’m seeing is the pressure to integrate AI directly into the software development lifecycle.
Teams want the velocity gains, but they’re running headfirst into the tension between speed, quality, and security. You can’t bolt AI onto the SDLC without also rethinking how you validate code, govern models, and monitor the decisions those systems make. We’ve talked about shift-left, but this transformation requires businesses to “shift up.”
At the same time, security teams are confronting a parallel challenge: threat actors are already using AI to automate reconnaissance, exploit development, and social engineering. Defenders know they need AI in their stack just to keep pace with the tempo of attacks.
The expectations for a comprehensive enterprise security program haven’t changed, but the introduction of AI has widened both the opportunity and the attack surface. The organizations that succeed will be the ones that treat AI not as an accelerator in isolation, but as a new dependency that requires the same rigor, governance, and runtime visibility as any other component in the delivery chain.
How have the challenges you deal with evolved in the last few years?
The “do more with less” mandate is forcing a structural rethink of security disciplines that were historically labor-intensive, like third-party risk, control validation, evidence collection, and even baseline cloud security operations. These functions can’t scale through manual effort anymore. They need to behave with the same automation, repeatability, and engineering rigor as the delivery pipelines they protect.
That reality was underscored by the recent Shai-Hulud incident, in which a novel, self-replicating worm was discovered propagating through compromised NPM packages. This was a clear demonstration of how fragile the modern software supply chain has become. A single upstream dependency can silently introduce malicious code into hundreds of downstream projects, long before anything reaches production.
Incidents like that erase any lingering debate over whether CI/CD security controls are “nice to have.” When the attack surface now includes the build system, the package ecosystem, and the automation that stitches them together, pipeline security becomes foundational. The shift is a reminder that today’s risks emerge before runtime, and organizations that “assume breach” and adapt their security models to that reality will be the ones that maintain trust in an increasingly hostile ecosystem.
How do you set teams up for success dealing with these challenges?
Culture and communication remain the foundation of any high-performing security organization. As the pace of change accelerates, teams need tighter feedback loops and sharper data reporting so information and decisions can move at operational speed. You can’t defend what you can’t see, and you can’t respond if insight doesn’t reach the right people fast enough.
That only works in a culture grounded in trust. One where engineers, operators, and security leaders share context openly and surface issues early. I don’t view clear communication as a “soft skill.” I see it as a deliberate choice in organizational design. When information flows cleanly across teams, the entire business becomes more resilient, more adaptive, and far better equipped to manage the realities of modern risk.
What technologies, partners, and vendors help you when dealing with these challenges?
At Sysdig’s recent Cyber Advisory Board session, I gathered 15 security leaders whose recent experiences shared a consistent theme: the average enterprise is now running roughly a dozen security tools across code design, build pipelines, cloud infrastructure, and production workloads. That fragmentation is a symptom of how quickly the risk surface has expanded, and it creates real operational drag.
In that environment, a unified cloud defense platform – what the market refers to as CNAPP, or cloud-native application protection platform – is becoming less of a strategic preference and more of an operational requirement. Security teams need a consolidated view of risk and a way to connect signals across the SDLC, from code to runtime.
What encouraged me in the conversation was seeing how quickly these leaders are pushing for integration rather than proliferation. The goal isn’t to give security more tasks; it’s to provide them with a platform that evolves with the business and enables them to deliver real outcomes.
How do you evaluate new vendors in the cybersecurity space?
A strong track record of innovation, adaptability, and real commitment from the founding leadership team matters more now than at any point in the last decade. The modern tech environment isn’t one where you can depend on legacy security or slow-moving roadmaps. From founders to engineers, everyone needs to be fully engaged in solving the problems that today’s enterprises actually face.
When evaluating vendors, I look for teams that understand both sides of the equation: the evolving threat landscape and the operational realities of my business partners. I need to show clear ROI to my peers in finance and the executive team, and I need my engineering counterparts to experience security as a seamless extension of their workflow, not a separate, brittle layer.
What I’m hearing more often from my peers is that a fragmented security stack with siloed data is no longer tolerable. The future is integrated, context-aware systems that understand the business they’re protecting and can move at the same velocity (or faster) as the teams they support.
How do you balance security with business agility?
In practice, the primary mandate of a security organization is to ensure the business operates within its defined risk tolerance. The CISO’s job isn’t to fix every vulnerability. It’s to identify material risks, assess their impact, and then guide the business when those risks exceed what leadership is willing to accept. That clarity of purpose separates busywork from meaningful governance.
Once that routine is in place, finding risk, pricing it in business terms, and guiding decisions, the tension between security and agility starts to dissolve. Leaders can see the trade-offs in front of them and make informed choices about where to accept risk and where to invest in control.
The business exists to pursue opportunity. The CISO’s role is to be the clear-eyed observer of the terrain, surfacing the real risks and helping leadership navigate them with precision.
What impact do you see new technologies like AI have on your day-to-day? Do you see AI having a long-term impact?
AI is transformative, and the real risk is that defenders won’t adopt it with the speed or precision this moment demands. Threat actors have the luxury of unlimited experimentation, allowing them to iterate until a successful approach is found. Defenders don’t get that luxury. We must be methodical, but the urgency is real.
You can see the trajectory in DARPA’s AI Cyber Challenge at DEF CON. Researchers demonstrated cyber-reasoning systems capable of analyzing open-source code, discovering vulnerabilities, and generating proof-of-concept exploits at an average cost of roughly $145 per task. That price point tells a clear story that AI is shrinking the cost of being a threat actor.
For defenders, this means AI can’t remain a side project. It must become part of how we identify and remediate vulnerabilities at scale. We’re already seeing that shift. Many organizations, including Sysdig, are operationalizing these techniques and bringing them directly to customers. Our AI cloud analyst, Sysdig Sage, for instance, has already helped security teams reduce their mean time to respond by 76%, shrink exposure to critical vulnerabilities from days to minutes, and reclaim over 80 hours a week once spent on manual triage.
There is a hopeful data point from the same DARPA challenge: those AI systems weren’t just finding vulnerabilities, they were able to generate and apply fixes for roughly 70% of what they discovered. That’s the future: AI accelerating both offense and defense. The question is whether defenders adopt it fast enough to keep pace.
What are the early warning signs that a growing company’s security posture isn’t keeping up with its business pace?
When a business’s security fundamentals start to break down, it’s almost never an isolated failure. At that point, it’s a systemic problem. If the business is moving faster than its underlying foundations can support, you can patch symptoms all day and still fall behind. That’s how organizations end up in a perpetual game of whack-a-mole, where every fix creates a new point of friction somewhere else.
A leader’s job is to spot those high-friction signals and resist the temptation to treat them as tactical issues. Instead, you invest the time and talent to uncover the root cause and understand the broader pattern. When you solve the system-level problem, the underlying constraint or misalignment, you eliminate an entire class of failures and restore the organization’s ability to move with clarity and speed.
How do you turn compliance into a business advantage rather than just a checkbox exercise?
This is the era of trust. The market is flooded with AI-powered products that sound impressive on the tradeshow floor but struggle to clear even a basic demo. In that environment, trustworthiness becomes the primary differentiator in any deal cycle. Buyers want to know whether a vendor can operate safely, reliably, and transparently, not whether they can produce another slide deck.
Security leaders have a rare opportunity to reset the narrative. Compliance has value, but it is a snapshot; it tells us that certain guardrails existed at a single moment in time. The conversation has already moved beyond that. Customers, partners, and regulators want real-time confidence in how a company operates in real time, not what an auditor recorded nine months ago.
Trust is built on three pillars: security, meaning freedom from adversarial interference; safety, meaning systems behave within expected boundaries; and resilience, meaning the business can continue to function under adverse conditions. When security leaders anchor their programs to those pillars, they shift the focus from static audit artifacts to continuous assurance.
What advice would you give to fellow CISOs and industry practitioners?
Lean in. This is not the moment to assume that what worked last year will work tomorrow. Traditional 30-60-90 day cycles are already too slow for the tempo of modern threat actors, and annual compliance attestations are losing their meaning in a world that demands real-time assurance.
Teams may be getting smaller, but they now have access to capital and AI capabilities that can meaningfully augment their effectiveness. The core principles of the last 15 years remain unchanged, but the way we execute those principles must evolve.
The winning strategy is straightforward. Organizations must embrace change, invest in proactive and real-time defenses, and use data to decide where improvements will deliver the greatest resilience. The organizations that lean in now will be the ones prepared for the next turn in the landscape.
Why not read further insights from other CISOs:
