Can you drive a Ferrari at 150 miles per hour without its enhanced safety package? Sure. Should you? That's the question Aaron McCray, Field CISO at CDW and retired U.S. Navy Commander with 27+ years in information warfare, poses to every CISO still white knuckling their way through 2026 with a 2021 playbook. In this episode of Kitecast, host Patrick Spencer and McCray dig into why the old way of doing security isn't just outdated—it's dangerous.

McCray traces the CISO's evolution from post-COVID belt-tightener—the person whose job was to consolidate tools, justify every dollar, and basically serve as the "office of no"—to something far more consequential. Today's CISO needs to be a strategic risk executive who speaks the language of CFOs, not just firewalls. That means understanding EBITDA, financial risk quantification, and how a $350,000 investment in multi-factor authentication can translate into $35 million in reduced risk exposure. If you can't make that pitch, McCray argues, you're getting left behind.

The conversation takes a sharp turn into the AI landscape, and McCray doesn't hold back. He's seen PCs, the internet, and mobile technology reshape the world over his career, but nothing compares to what AI is doing right now. "I don't mean that to sound like hyperbole," he says. "I really don't." The speed, the capability, the risk—it's all unprecedented. And while organizations scramble to harness AI's potential, many are sleepwalking past the dangers. Shadow AI is McCray's particular concern. He describes employees accessing public AI tools through browsers, unknowingly opening backdoors that exfiltrate proprietary data and invite threats back in.

That leads to what might be the podcast's most important thread: ethics. McCray pulls no punches with real-world examples. One global organization trained AI to screen resumes and ended up systematically discriminating against qualified women. Another rushed self-driving technology to deployment before it was ready, resulting in a pedestrian's death. His message is blunt—just because you can doesn't mean you should. And without humans in the loop, governance frameworks, and genuine ethical guardrails, AI will optimize for whatever you point it at without ever asking whether it should.

McCray also makes a compelling case for data security posture management, arguing that data isn't just a cybersecurity problem—it's a business problem. His parting advice for CISOs? Stop leading with fear, uncertainty, and doubt. Stop blocking innovation. Start enabling the business to move fast—but safely. He compares it to buying a Ferrari that you can drive it stock, or you can invest in the enhanced safety package. When you're doing 150 down a two-lane road, you'll want those features.

LinkedIn: https://www.linkedin.com/in/awmccray/

Website: https://www.cdw.com/

Recommended Reading: Walt Powell, The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation.

Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly.

Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards.

Greis emphasizes that compliance certifications like SOC 2 or ISO represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards.

The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer.

The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details.

As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries.

Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows.

LinkedIn: https://www.linkedin.com/in/justingreis/

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals.

The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33.

A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications.

"Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0, FedRAMP, and the NIST Cybersecurity Framework.

The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output.

Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail.

Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity, which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders.

For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity.

LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/

Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html

Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.