The CISO Paradox

A security-first culture ensures every employee understands their role in protecting the organization. Since no security team can monitor every system or communication channel, empowering employees to recognize and prevent threats creates a more resilient and distributed defense model. 

CISOs rely on influence, communication, and collaboration across departments. By partnering with business leaders, IT, engineering, HR, and operations, CISOs embed security practices into everyday activities, ensuring shared responsibility for risk management and compliance. 

Sophisticated phishing attacks—such as CEO impersonation scams—demonstrate how attackers exploit internal trust. These threats underscore why employees at all levels must remain vigilant and follow security best practices to prevent breaches. 

Modern security requires expert leadership, cultural adoption, adaptable processes, and organization-wide engagement. It incorporates proactive education, influence-based leadership, and integrated resilience planning—not just access control or reactive response. 

Please view video here for a time-stamped transcript

Welcome. 

We’re live from SHIFT and I am here with Commvault’s Chief Security Officer, Bill
O’Connell and Commvault’s Deputy Chief Security Officer, Will Galway. 

And this is the CISO Paradox, a podcast to discuss leading security in the age of personal
accountability. 

We’re living in a challenging times for CISOs. 

Why? 

Well, um CISOs are oftentimes held personally and legally accountable. 

for the security outcomes at companies, but they don’t necessarily directly own the
budget, the people, or the technologies that drive those security outcomes. 

That makes for a pretty challenging job. 

And so we’re gonna talk about that today and what it means to be a modern CISO and how the
role is evolving inside the largest enterprises in the world. 

I’m gonna kick it to Bill first. 

Bill, what do you do? 

Yeah, I uh I love the title of our session that it’s about this paradox, right? 

There’s a true dilemma here where on the one hand, you want the leader of security and the
security team to have accountability, ultimate accountability. 

But also we talk about things like a shared responsibility model, right? 

So how do you balance those two things? 

How do you have an organization that uh can ensure that the security of the company is
where it needs to be 

but also recognizing that they can’t be everywhere. 

So you also need to worry about all the people in the organization, all of the technology,
all of the systems and processes. 

So I like to think of it as the paradox is allowing both things to be true and focusing
on, yes, do we have the right security expertise, but also how do we change the culture of 

the organization? 

So it’s 

you know, culture as code that everybody knows what they can do. 

And if you can get the entire organization to think a little bit more about security, uh
that’s probably more impactful than hiring one more person in the security team. 

So I think it’s both of these things, but it really has changed over time. 

You know, your deputy Will here is trying to turn everybody in the company into the
guardians of security. 

How do you do that Will, as the attacks are just getting more more complicated? 

mean, we have all gotten phone calls from Sanjay Marchandani, our CEO, in just the last
week asking for gift cards and money transfers leading up into SHIFT so how do you think 

about making sure all of us are smart enough? 

How do you change the culture into the shared responsibility model? 

Yeah, and I think it’s important to use influence over authority. 

Like you said in the opening 

we don’t have control of every system or every person or their personal WhatsApp. 

So these are just things we have to use influence to work with business leaders and to
work with other heads of departments and just get that message out to our people. 

I think everyone has a responsibility to security, but it’s all to make the business move
faster. 

And I think there’s things we can do and we are doing to help enable that. 

I think it’s just really important to get that security culture that Bill had mentioned up
and running. 

And I think um 

we’re doing a good job with that right now. 

Yeah, I would agree. 

By the way, the calls and the texts were fake. 

They they were a phishing attempt. 

They weren’t real. 

um Just to make sure everybody listening. 

um So, Bill, how do you think about how to structure a modern security organization inside
a company today? 

Because it’s not just blocking and tackling, you know, um identity access issues. 

How do you think about it? 

Yeah, I think partly uh 

you need a certain level of expertise. 

But where I’ve seen different models of security organizations in the past, I’ve seen some
that tried to take the approach where security is the hero, the firefighter that handles 

everything. 

And when you create that wall and that separation, then you take the responsibility off
everybody in the organization. 

They can say, well, I’m just going to do what I do and then security will do the security
stuff. 

And I don’t think that model works. 

I think 

we need to think of it more as, you know, when you’re building a house, there’s not a
plumber and electrician and then a security electrician or a security plumber, right? 

The plumber and the electrician need to know how to do their job securely from the
beginning. 

So I think when we think about the modern org, it’s where is, where are the right people
and roles and functions that should be in the security team? 

And then where can we help other teams be more secure? 

And so how can I help a service organization 

see what are the parts of their day where security is important and how can I teach them
to be more skeptical. 

uh When I think about a product engineering organization, I can’t have developers that
don’t think about security and then a security team come fix it, right? 

Like We’ve for years now, companies have been on the march to shift left so that we have
developers think securely, build securely, and then yes, there’s the security team that 

will also do some checks, 

but we’re not there to catch everything. 

The team is either prevented it in the first place or if they uh created a vulnerability,
they fixed it long before it gets to production. 

So those are the types of things where the modern security org is true expertise that can
help enable all those other teams to do what they do more securely. 

And I think, think to real quick to Bill’s point, I think there’s, there’s moving to where
the business is. 

I think it’s really important. 

And I think 

um you know not having the standard security silo that we’ve seen in the past you have to
move where the business is and connect at that level. 

To Bill’s point about you know developers and people that are closer to the product. 

I mean there’s training and there’s ways that we can get a security uplift overall. 

On top of the product we can do it back internally as well. 

I think we need to mirror these things and get to the business where that is in order to
uplift what we do. 

That’s a great point. 

I want to get very specific here. 

So for organizations that are maturing their cybersecurity function out of necessity, but
maybe have put off the investment as long as possible, your organization and the things 

that you’re tasked with doing are sort of explosive. 

em You are responsible for making sure the products that are built are secure when they
end up in the hands of customers. 

You’re responsible for 

You’re almost the last mile with a customer before they buy. 

They want to talk to one of you two and make sure they understand that the products are
built with security in mind and what will happen if the unthinkable emerges. 

uh You’re tasked with making sure everybody in the company is uh protecting our access to
what matters internally, educating because you can’t have a team that 

is so large, right? 

So have to educate the developers on how to code security, you have to educate the sales
fields um on how to sell securely. 

How do you think about this? 

I mean, it’s quite a huge remit. 

I would ask it this way. 

Who do you think are your top five key roles um that you have in a modern CISO
organization? 

It’s tough to answer because like you mentioned, all of those areas are so important. 

I think um 

One of the things that when I, you know, coming into any new organization, I have to
understand what is the business doing and what’s the, you know, what’s the business trying 

to accomplish? 

And I think that’s something that’s changed a lot over time is that um a security org has
started off as the, you know, just say no to everything. 

And then we realized, well, we can’t, everything is connected, everything is digital. 

So how can I make sure that 

we are being secure by design and we are educating the company and meeting them where they
are, right? 

So that we can uh do that. 

uh I think also, you you’re asking about what are the key roles uh in the org. 

uh I’m not sure I could rank them, I think, because they all do such different things. 

uh But ultimately for me, I start off with what is the business trying to accomplish and
what are the risks, right? 

Everything needs to be risk driven. 

And so, 

If I have a team focused on application security or team focused on looking at the
infrastructure or cloud, uh we almost need a uh it’s so important that we use risk as kind 

of that single uh taxonomy for how do we talk about all of the things that could go wrong
so that I can compare an architecture design issue that I don’t like with a potential 

vulnerability in an application and all the way down the line in the security team. 

It’s that when we say something is critical, what does that mean? 

And I don’t have to make the leaders in the company, cybersecurity experts all the time. 

I’m not talking to them about CVSS scores or, you know, I’ve translated it into when I say
something is critical, that means, we have to stop what we’re doing. 

When I say something’s high, you should be worried. 

And likewise, when I say something’s low, just know we’re watching it 

but I’m not going to spend too much time on that. 

I’m going to disproportionately spend my time on the critical and high issues. 

And so I think all the roles in the organization, especially in the security organization,
need to understand what that taxonomy is so we can talk to the business in a way they’ll 

understand and not have to get in discussions about SQL injection and how to avoid it. 

I also think it’s important to keep in mind, like when you’re talking about risk like
that, 

There’s a, you know, most of the time risk goes off of likelihood or risk as set by some
authority, some guiding authority, but we have to look at impact of the business. 

I think it’s a really important way to measure it and it’s what drives that criticality
rating is how could it impact us and that’s the order in which we’ll go after things. 

And I think it’s a healthy approach. 

It’s a straightforward thinking approach because I just think it matters the order in
which you do it. 

So let’s talk about risk realized for uh for just a few minutes. 

The three of us have been through a breach response together, which is the best way to
learn. 

um What are the characteristics? 

What are the personality traits of leaders that are on the forefront of a breach response? 

I’ll start with you, Will. 

I think hygiene is really important. 

And I think that in most most most public breaches we hear about, it starts with with
hygiene. 

And I think like for a good leader, I think letting, know, not letting perfect be the
enemy of good, just to make sure that we get to where we need to in order to protect the 

company. 

I do think that good traits of leaders not just look at that, but they also build
relationships and trust across different business units. 

We’re all in this together and every little bit makes a difference. 

Whether that’s you’re dealing with different people in the business or different employees
in different parts in different regions. 

I think it’s really important for everyone to be able to come together and know what their
responsibility is in that kind of shared security culture model. 

And Bill, you are in front of boards of directors. 

How do you think about that moment where, whether you sound it or not, the alarm is
sounding? 

Who are you in that moment and what do you think are the best characteristics of
leadership when you’re facing a crisis? 

I think for me personally, I find it funny. 

I will get so frustrated in traffic 

but when there’s something very serious happening, I can be very, very calm. 

And I think that’s probably one of the most important traits is that you will have
imperfect information. 

You will have a million people asking you questions and you really have to be able to
focus to say, okay, what do I need to do right now? 

What’s the next thing I need to do? 

While also thinking about the big picture about, by the end of the day, where do I need to
be? 

And then communicating outward. 

And it’s interesting, I do a lot of, I have a lot of conversations with customers and
across my career have had to do this and sometimes you have to do the mea culpa. 

Other times it’s more proactive and like you mentioned, trying to instill trust early on. 

uh And you can kind of see who are the CISOs that have had an issue and who haven’t
because there are many that say, well you had X, Y, and Z issue happen. 

We, you know, we can’t work with you. 

uh 

And you start to realize if you’ve been in it long enough that uh you’ll run out of
companies to do business with, right? 

Everybody has an issue at some point or they just don’t know about it yet. 

So what’s more important is how did they handle it? 

How did they respond? 

Are they being transparent? 

ah And so, you know, that’s what I look for when I’m talking to other CISOs that uh I
think that that’s the type of mentality that you need to have. 

My favorite analogy is it’s like a boxer. 

who plans to never get punched in the face. 

Like, that’s just not a good strategy. 

So you have to be prepared that something will happen. 

And so are you always looking forward? 

Are you, you know, never satisfied with the program, right? 

There’s always something better you could be doing. 

So when you plan for the year, plan in 10 to 15 % budget and time that’s… 

open because you don’t know what’s going to happen. 

You don’t know what’s going to change. 

We don’t know how AI is going to change our jobs in a year. 

So rather than think that you can have all the answers, allow yourself a little bit of
flexibility, allow yourself so that you can be resilient and see where do I need to adapt. 

So let’s tread into deeper waters. 

Trust scales or stalls at a moment of truth. 

So you know, your company has experienced a breach or 

somewhere in the supply chain has experienced a breach that affects you. 

um How do you ensure that you strengthen trust through that process instead of break it
with customers, with your employees, with your board, with your executives? 

And then I’m gonna add on one other piece to this, which is, you know, the response to a
breach doesn’t take a day, it doesn’t take a week, sometimes it takes months. 

And a lot of people go back to their day jobs, but the security team and the teams perhaps
that were affected and the customers and the vendors, 

still have to live with this until it’s some natural conclusion, but it’s never quick. 

So how do you keep the energy up and the focus up? 

So sort of those two things let’s explore for a minute. 

Yeah, I think having the right controls in place is of course important. 

It’s also the process about how you get there um knowing that things will change, new
technology will come at a faster and faster pace 

it’s not just enough to have a checklist and say, you know, did I do these 10 things? 

It’s also by what process are you deciding what those 10 things are and how will it be
different next year? 

And so being adaptable is, and having that mindset is probably as important as, you know,
taking an inventory of a technical, of what technical controls I have on any given day. 

I think that’s, you know, what I look forward, look forward in, you know, in my team. 

And when I’m talking to other CISO is, 

I think that’s the best trait I’ve seen as being adaptable towards, know, and appreciating
that you can’t have all the answers. 

So what’s your process to determine what that prioritization should be? 

I also think that, you know, you talked about fatigue, right? 

Especially after a breach has occurred and people get back to their day jobs. 

I think if you’re measured along the way and you’re constantly measuring yourself, you
know where you’re at, you know how far you’re progressing with it, and you know what’s 

left to be done. 

So I think that measurement is really important in order to know when to sound the alarm
and when to stop sounding it and try to get back to a normal flow of business. 

But I think that all comes from all the prep work that you do ahead of time in order to
get there. 

If you’re on the phone with a vendor, a customer, a prospective customer, and they are
looking for an answer as to tell me about a time that you experienced a breach and how you 

communicated with people. 

How do you have that conversation? 

Because there’s a spectrum of ways you could have legal scripted for you, you could have
sales kind of run with it. 

But what’s the best way to have that conversation to build trust? 

I think that I’ve been in security almost 20 years and I’ve had a lot of uh conversations
with other CISOs. 

I think transparency is the most important thing. 

I think ah people can sniff it out 

when you’re not giving them a full answer or not giving them a complete answer. 

And that probably erodes trust faster than anything. 

And like any relationship that requires trust, when you lose it, it’s so much harder to
gain it back. 

So to be able to say, this is what we know for sure, this is what we don’t know, is so
much better than providing, trying to make it rosier than it is. 

You know, I would agree that transparency is huge. 

And I think as a security professional, I mean, we we look forward to reading the true
reports that come out after a breach happens like there, you there’s you learn so much 

from that when companies are upfront and forward about about what had happened. 

And in that moment, when that initial phone call comes in, I think to Bill’s point, you
want to be as as open as possible and as truthful as possible just because people 

understand that 

these things will happen, but it’s your response is how they’re going to gauge you going
forward. 

Okay, let’s shift gears and talk about AI. 

AI seems to be changing the game for cybersecurity attacks in the landscape and attack
vectors. 

How do you think your roles will change a year from now as AI matures? 

I think it’s going to be tricky. 

think AI from a security perspective, it’s a very interesting… 

problem to solve because we’re trying to use it to um enhance the business and allow the
business to move faster. 

We’re also trying to use it for security in order to help us secure the company. 

But we also want to make sure that it doesn’t come back and bite us while we’re trying to
do the first two things. 

So I think it’s going to redefine the game. 

And I didn’t buy into it for a long time. 

But the longer that you start to look at how things are evolving and agentic AI and just
how companies are going to start putting their trust into a model. 

that can provide those results and learn over time almost better than employees in some
cases. 

I still think the employees are necessary to do the security side of it. 

I’m not advocating that we’re all gonna get overtaken by AI overloads but I do think it’s
gonna be a big change in how we think about and plan for protecting the company as AI 

becomes both more prevalent in the offensive for the attackers and in the defense of a
company. 

Yeah, and this is a great example of where 

You know, I think we need to plan for what we don’t know and allowing ourselves a little
bit of time and budget for things changing so rapidly in the next year that I can’t 

predict exactly how we’ll be using AI. 

And when people say AI, what do they mean exactly, right? 

Agentic AI versus just ML. 

So uh do we allow ourselves the space to say, okay, we don’t have any answer. 

We don’t have all of the answers today, but we know 

it’s going to be huge for us. 

And so in addition to just, you know, security for AI and AI for security, this arms race
that’s happening where now the barrier for a threat actor to use AI against the company is 

just going down and down. 

It’s getting so much cheaper and easier. 

And the amount of skills required to do what they might’ve done years ago, um it’s just
gotten so much simpler. 

So that’s the other thing that we need to be thinking about is how, like Will said, how do
we defend against that? 

uh Knowing that it’s always gotten easier and there have been uh kind of more tools
available, but now uh AI uh for security attacks, that’s something that we’re really gonna 

have to figure out. 

Yeah, and it just, you think about the evolution of how attackers have operated, it used
to be a person really smart would go and bang on the front door of a company until they 

got in. 

And then it was like, I can use these scripting tools and do it faster. 

And then the results they had out of those tools, they still had to decide, all right, who
am I going to follow up on from that stage? 

But now with AI, like the AI will be able to automate that so much faster. 

And it used to just be, you had to run faster than the, you know, than the person next to
you. 

Well, now it’s going to get a little more challenging because I think the attacks are
going to increase in speed, which means our defense has to move at that same rate. 

Right. 

And the response. 

Yeah. 

I think we have to assume that they’re going to get in and we have to figure out how do we
contain and remediate as quickly as possible. 

Absolutely. 

Yeah. 

I think the you know, I love to remind CISOs of, know, kind of two key things that I see
that I think people forget in the past couple of years. 

I’ve seen a huge shift towards the defense. 

And like you mentioned, I really believe it’s also about the resilience piece that you
will get punched in the face. 

Can you get back up? 

How well can you get back up? 

ah And so when you think about things like the CIA triad, right, availability, that’s one
of the key tenants for security. 

ah Or, you know, with NIST, it’s about recovering. 

And so I think we’ve shifted so far towards defense 

and I think smart CISOs are realizing, I have to also pay attention at how do I help get
back up? 

ah How do I detect it as fast as I can? 

But also how do I get my business running again? 

It’s a perfect lead into my last question, which is this. 

You know, the standard is not to be perfect. 

The standard is not to get it right. 

The standard is to try. 

The standard is to make progress. 

So parting thoughts, how do you try? 

What’s at the top of your list for making progress? 

What do you want to be known for just two quarters from now? 

I want to be known for doing the boring stuff well. 

I want to be known for getting the company to a level where the average attack, the things
that most companies fall short on, that’s not us. 

I want to make sure that through good hygiene and good measured hygiene that we’re able to
keep ourselves above and beyond where we need to be 

so that we do have the time and the budget available to go handle the things we don’t yet
know about. 

But we gotta get the, we gotta always do the easy stuff first. 

That’s excellent. 

Thank you. 

Yeah, you know, it’s interesting when I, sports are a big part of my life. 

I’m a very competitive person and I always play defense. 

And so I think that that really, you know, resonates with me and how I’ve gotten into this
field is that, like you will mention, if you do your job right, it’s invisible. 

Nobody notices, right? 

Um, it’s very flashy to be on offense, but, um, but on defense, just have to do your job
rates just expected. 

And so, you know, I think that, uh, you know, I agree a hundred percent that it’s about
ensuring that we have the right level of defense that should anything happen, we’re ready 

for it. 

We can respond fast and we can get the business back up and running. 

And I think, you know, that’s, that’s where I want to be. 

Thank you, Bill Commvault’s Chief Security officer and Will, 

Commvault’s Deputy Chief Security Officer. 

We are so fortunate that you are at Commvault and so fortunate that you help so many
people internally and externally just get more sophisticated about what we’re all facing 

in terms of cyber resilience. 

If you want to learn more, head over to our Readi verse. 

It is chock full of information and tips and practices for security leaders and executive
leaders to get started, to mature, to get even more sophisticated 

because this is a shared responsibility model and it’s all about helping each of us get
stronger. 

Thanks so much. 

you