The responsibilities of a CISO have never been more demanding. The rapid pace of technological adoption, the spread of new attack surfaces, and the growing weight of regulatory pressure have forced security leaders to balance risk management with operational priorities. The role requires both technical mastery and organizational diplomacy.
In this interview, Erik Montcalm, Vice President of Security Services at SecureOps, offers his perspective on how CISOs should think about risk, where organizations struggle to align security with business goals, and how emerging technologies such as generative AI add to the threat landscape. His answers highlight the realities of security leadership in an environment where breaches are certain, but resilience and response remain within an organization’s control.
How should CISOs think about risk today?
Erik Montcalm: I'd like to flip that around. CISOs have always thought about risk in what I consider the correct way. Of course, I'm a security professional. So, we are probably like-minded. I think organizations should more actively listen to their CISOs and figure out how the organization can align to fit that world view. And it doesn't need to be a massive change. Internal partnerships and giving everybody a seat at the table makes a huge difference. That is really the future because cyber attacks are not going away. Breaches will happen. It's only a question of how often and how bad.
The thing you can control, as a CISO, is your response and how much you're investing in risk mitigation.
Security is sometimes prioritized over operational efficiency, leading to pushback from other internal stakeholders. How do you as an MSSP navigate that contention and advocate for robust security?
Erik Montcalm: Our role is to share recommendations based on our expertise on how to be safe. Then we help clients weigh them against business impact. If a client feels the strongest control is too heavy, we provide secondary options and work toward the level of protection they can accept.
In recent years, these choices have shifted from being imposed top down by CISOs to being owned by the business units themselves. Once leaders understand the impact falls on them, their perspective changes. We align with their risk tolerance while ensuring they fully understand the risks and possible consequences.
This model distributes accountability and prevents the adversarial dynamic that can emerge when security is seen as restrictive. CISOs need to communicate that breaches may still occur, but controls reduce the frequency and likelihood of such incidents. It is about lowering risk, not eliminating it. Companies that embrace this message build stronger partnerships.
Some organizations tolerate higher risk, others invest heavily to reduce it as much as possible. I do not prefer one approach over the other. What matters is that companies no longer expect full protection or ask, “Can you guarantee I won’t be breached?” Everyone now recognizes that no one can make that promise, because it depends on too many things. And attackers are very good at what they do.
For those companies that do have a higher risk tolerance, how should they approach cybersecurity?
Erik Montcalm: A high risk tolerance is basically admitting you're okay with the higher likelihood of breach, so your focus should be on the response. To start, practice for when it happens. Run your playbooks, visit them often, and do some wargaming. You need to make the proportional investment to back your decisions.
The other thing I would focus on at the higher levels is education. So, when it blows up, everybody's aware of how these policies were decided. Often what I've seen is businesses don't review those policies often enough and then stakeholders claim ignorance. They didn't know or nobody told them about that decision.
We really want to avoid the blame game, because it slows mitigation down, creates resentment, and makes securing the organization that much harder.
Let’s move on to more specific risks. What emerging risks or security requirements does generative AI technology bring that we haven’t considered before?
Erik Montcalm: I don't believe AI is outside of the realm of traditional controls. You may need a bit of new technology, but the building blocks are still the same.
You still need a policy and to decide what your position is on the use of AI. And then you need to write a process or documentation to educate the users. You still need to implement some type of control. Now, I’ll caution that controls are rarely granular enough to do the exact thing you want, but having some basic monitoring in place is essential. It makes sure that if something goes really haywire, you detect it with some blocking in place and automation when possible. To me, it's doing the same stuff and applying it to something new.
However, that doesn’t mean there aren’t risks. I’ve been increasingly concerned with the loss of control over mass data through agentic and chained AI. Though the individual controls for an AI application aren’t significantly different from anything else, companies are adopting these technologies faster than they consider the ramifications. Data will flow through providers the company didn’t even know existed. I expect we’ll see a major case soon where a company realizes its data was processed by some third-party AI without their knowledge
AI is top of mind, but what are the threats that CISOs are not considering?
Erik Montcalm: Logging everything seems like a good idea on the surface. It gives you more data for monitoring. But if a company doesn’t fully understand where their sensitive data lives, logging everything actually creates risk. Personal information or critical customer data can end up in logs that are exposed to too many people.
We work with clients to assess the operational security value of each log. Sometimes the risk-reward equation isn’t in your favor. For example, continuous logging and correlation might not justify the risk of capturing sensitive information unnecessarily. It's about being strategic, not just exhaustive.
The next one would be “second wave” vulnerabilities. It’s something that happens surprisingly often. A vulnerability gets discovered, everyone freaks out, patches it, and life seems fine. But months later, systems get redeployed using outdated scripts or golden images that haven’t been updated. Suddenly, you have the same vulnerability reintroduced. It’s smaller in scope, but it proves that initial vigilance isn’t enough.
The key lesson is that patch management isn’t a one-time fire drill. It’s a continuous process. Even if you think the first round of patches covered everything, redeployment and automation can bring back old vulnerabilities.
Those are great procedural recommendations. Is there anything specific to CISOs or protecting VIPs in an organization from being targeted?
Erik Montcalm: This is one of the more “James Bond” type things we’ve seen. In one organization, we noticed a huge correlation between important people and stolen laptops. For example, executives who were traveling often had laptops stolen multiple times in a year, while the rest of the company’s laptops were stolen at much lower rates. It wasn’t random.
The organization decided to respond proactively. They started sending temporary, lower-risk laptops to executives traveling to certain countries and restricted the data they could access while traveling. In some cases, the recommendation was even to dispose of laptops and cell phones after returning from high-risk locations. The goal was to limit the amount of sensitive data at rest and reduce the risk of exfiltration, especially from countries rumored to be engaging in targeted espionage.
To close out this conversation of risk, what keeps you up at night, and what are you and SecureOps doing to counteract that concern?
Erik Montcalm: What really keeps me up at night is the possibility of Secure Ops itself becoming the vector of an attack. It’s a concern for any MSSP. Imagine one customer is breached, and we fail to notice it, passing it along to another customer.
That’s why we employ multiple layers of controls: segmentation, encryption, password vaulting, multifactor authentication, and strict separation between customer environments. We also advise customers to use their own security layers, especially when our teams remotely access their systems. This dual-layer approach reduces risk and reassures customers that they maintain control. It’s a risk that our organization takes very seriously, and we’ve ensured over the last 25 years that it remains a risk and not a reality.
Montcalm’s insights underscore a simple but often neglected truth. Security is not a barrier to business but an integral part of it. From distributing accountability across business units to preparing for inevitable breaches, the modern CISO cannot rely on technical controls alone. Effective risk management requires clarity of communication, disciplined processes, and organizational buy-in at every level.
The conversation also reveals the limits of pursuing absolute protection. Instead, security leaders must measure risk tolerance, invest proportionally in mitigation, and remain vigilant against reintroduced vulnerabilities or overlooked data exposures. For CISOs and directors, the challenge is not to eliminate risk but to manage it with foresight and balance.
Contact SecureOps today to discuss how we can help manage your risk and protect your environment.