From product to security culture, from reaction to asymmetric trust: how the role of Ciso is changing in the company

Then Ciso must act like an orchestra conductor: coordinating all the components of security, from threat information to access controls and system monitoring. But above all, it must establish clear procedures that combine detection, containment and communication, minimising reaction times through automation that limits the risk of human error.

AI is both the lever that empowers defenders and the weapon that makes targeted phishing, adaptive malware and prompt injection scalable. The Ciso of the future becomes a curator of the relationship between intelligent machines, people, processes and regulations: not just technologies, but rules of use, process controls and accountability. In Europe, this means aligning the security by design approach with the European regulations of Nis2, Dora, Gdpr and the AI Act. Deloitte confirms that the most mature cyber programmes integrate AI for detection and response and that Ciso's subject matter expertise is now a perceived value driver at board level.

The flip side of the coin is the new class of risks brought by 'agent' tools. Gartner's recommendation to temporarily block AI-integrated browsers in enterprises - due to the risk of 'irreversible and untraceable' loss of data and erroneous automated transactions - is an example of how security-related leadership needs to make clear-cut, even unpopular, decisions pending mature controls. It is not a 'forever' ban, it is an invitation to govern adoption: clear rules on what can be shared with AI, isolating sensitive contexts, human verification of critical and enabled actions for compliant tools.

"More products and software are not enough". The operative conclusion, however, is not 'less technology', but more method. The safety manager must be able to build a widespread culture that makes human error less likely 'by design'.

In the case of sensitive functions such as payments, Iban changes or confidential access, for instance, a single verification is not enough: double confirmation on different channels is needed to reduce the risk of fraud. In these cases, additional authentication is the concrete answer to fake voice mails and perfect emails created by AI.

Companies also need to know, in real time, which parts of their systems are visible and vulnerable: this means continuously monitoring, prioritising the most serious risks and closing flaws before they become incidents, an approach that Gartner points to as key to drastically reducing breaches.

In the case of software development, security should not be 'added' at the end, but must be provided for already in the design phase. This means setting clear rules, limiting access privileges and segmenting networks to reduce damage in the event of an attack. The 'digital' identities of the machines must also be carefully managed.

As for another particularly sensitive aspect like all business data, it must be classified, protected and accessible only to those who really need it, encryption must be automatic, activity logs complete and storage proportionate to the risk. These precautions are in fact the bridge between compliance and the ability to guarantee operations even in the event of a crisis.

This is orchestration: not a catalogue of tools, but a coherent design in which people know what to do, when and with what responsibility. Deloitte shows that where Ciso sits firmly at the strategic table, the likelihood of hitting business objectives increases and security becomes an enabler, not a brake.

The principle of security by design evolves, therefore, into resilience by design: starting with the assumption that the system may be under attack, design to isolate, restore quickly and communicate transparently. In 2026, we will see AI making both attacks and defences faster. The winner will be those who can reduce the time between detection and containment with reliable automation, secure backups and clear decision chains.