“Sometimes I have to take off my security hat and look at problems the way the business does.” – Blake Entrekin, Deputy CISO at HackerOne.
Cybersecurity professionals face one of the most challenging jobs in modern businesses: dealing with a constantly evolving threat landscape. Every day, they must navigate challenges and obstacles to get their security posture to where it needs to be—a goal that requires both strategic vision and the ability to balance business enablement with risk management.
In this series, we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today. We’ll cover the challenges that they face and are expected to face in the near future, the realities of what it takes to defend complex global environments, and the advice that they would offer to other CISOs and cybersecurity professionals.
Blake Entrekin is the Deputy Chief Information Security Officer at HackerOne, where he leads the company’s Governance, Risk, Compliance (GRC), Security, and Privacy programs. With more than 20 years of experience in security and technology, he specializes in building compliance-driven programs that enable business growth across SaaS organizations in financial services, healthcare, and government sectors in both the US and the UK. Before joining HackerOne, Blake held leadership roles at Podium, Palo Alto Networks, and Adobe, where he helped launch Adobe’s Digital Marketing business in China and led several large-scale security transformation initiatives.
We spoke to Blake to get his perspective on the challenges of maintaining ongoing cyber resilience. Read on for his insightful responses to our questions:
What cybersecurity challenges does your team deal with on a day-to-day basis?
We are still facing the usual volume of phishing, malware, and vulnerability exploits. The bigger shift, however, is the rapid and often ungoverned adoption of generative AI (GenAI) within organizations. Development teams are moving quickly, often without security expertise, which creates a steady stream of new vulnerabilities in the codebase.
The reality is that attackers only need to succeed once, while defenders have to cover every angle [every time]. That means prioritization is everything–focusing on the threats and risks that matter most to the business. AI can help alleviate some of that pressure, but there’s no clear playbook for securing AI systems yet. Our approach is to use the right tools, align security guardrails with business priorities, and adapt in real-time.
At the end of the day, it’s about balance. Businesses want to innovate quickly, and it’s our job to enable that speed without compromising security.
How have the challenges you deal with evolved in the last few years?
The most significant change has been the rapid integration of generative AI into organizations. A few years ago, we were not dealing with companies treating AI as a trusted employee without putting guardrails in place. Today, the speed of adoption is outpacing security, and in many cases, the basics are being overlooked.
We are looking at scenarios where AI agents act as employees. They are making decisions, handling data, and taking actions on behalf of the business. That raises fundamental questions: can these agents be phished? How do we grant and monitor permissions? How do we protect their identities? The truth is, we do not have all the answers yet.
One approach is examining AI agents with identity and access management controls as if they were a human employee, as part of the integration process and exercise practices from those responses, and so forth.
How have you set your team up for success in dealing with these challenges?
Our success depends on reinforcing the importance of human oversight. GenAI accelerates development and allows non-technical teams to write code without understanding security best practices. That creates risk.
We have made it a priority to educate our teams and our peers across the business about these gaps and the role human expertise must play in closing them. We set clear priorities, reassure the team that leadership is making direct calls on the most suitable work for teams to do, and encourage constant engagement with non-security peers. That way, we can support innovation while keeping a security-first mindset.
What technologies, partners, and vendors help you when dealing with these challenges?
This is an area that is still evolving. Many vendors are still figuring out how to secure agentic AI, from permissions to attack surfaces, and the reality is that no one has a complete answer yet.
On that point, we are starting to see real promise in platforms that use natural language for the Security Operations Center (SOC). Imagine moving from minutes to seconds in incident response because the Security Information and Event Management, or SIEM, can process queries conversationally. That is a significant step forward in efficiency.
At the same time, we are focused on getting the most out of the tools we already have, such as access management, SaaS security, and automation platforms. Once we know we are strong there, we will look to expand.
How do you balance security with business agility?
Sometimes I have to take off my security hat and look at problems the way the business does. Is this a competitive advantage? Does it drive revenue? Once I understand the why, I put my security hat back on to figure out how we can enable that goal without opening new risks.
Peer groups are also critical. Knowing what is working for other CISOs helps me evaluate tools and strategies more quickly. From there, we run a proof of concept and ask: Does this solution really solve our problem, and is the vendor’s value proposition strong enough to meet our needs? It’s all part of one big checklist.
What impact do you see new technologies like AI have on your day-to-day, if any? Do you see AI having a long-term impact?
In the professional setting of my day-to-day, I use AI to test attack scenarios, analyze reports, and streamline workflows. While it will not replace human researchers, it will certainly change their job descriptions. Compared to how we trained employees on mobile devices a decade ago, we now need to train our workforce and even our kids on how to use AI responsibly.
From a security perspective, the long-term impact is clear. AI agents will be making decisions on behalf of companies. That creates both efficiency and exposure. Just as we train employees on what’s acceptable and not acceptable, we will need to do the same for training AI systems. I expect to see familiar concepts like red teams and blue teams applied to AI itself as we prepare for the next wave of threats.
What advice would you give to fellow CISOs and industry practitioners?
We have to roll up our sleeves and get into the weeds. The higher up we go, the less technical our jobs tend to be. In this age of AI, we cannot afford to stay hands-off. To lead effectively, CISOs need to understand the technology at a deep level, engage directly with how it is being used, and guide their organizations through the uncertainty.
This is one of many CISO insights being published by Expert Insights. Why not check out our other interviews here:
