MSSP, MSP, vCISO, Channel chiefs, AI/ML, Supply chain, Business continuity, EDR, Governance, Risk and Compliance

7 Questions CISOs Must Answer on AI Threats, Supply Chain Risk and Cyber Resilience

Guest blog courtesy of LevelBlue.


A CISO’s role is increasingly complex. According to a recent LevelBlue survey, the volume of challenges security leaders face is growing, often leading to misaligned priorities and uncertainty around how to achieve key cybersecurity objectives.

To explore these issues and provide additional perspective on the findings, we spoke with LevelBlue Chief Security and Trust Officer Kory Daniels. The conversation spans AI, supply chain risk, and the realities of building resilience across modern organizations.

Daniels originally covered these topics in the LevelBlue webinar A CISO’s Guide: AI Threats, Supply Chain Risk, and Security Leadership. For a deeper dive, we encourage you to watch the full replay.

1. What actions over the past 12 months have meaningfully advanced security posture modernization?

Kory: Several factors are driving progress, both in the survey data and in conversations with the broader security community. One major shift is the evolving role of endpoint detection and response (EDR). Over the past year, we have seen rapid adoption of AI-driven capabilities operating within environments to strengthen these defenses.

At the same time, organizations are placing greater emphasis on detection and response beyond the endpoint. While this transition began several years ago, interest in identity detection and response (IDR) has accelerated, driven by the rise of non-human identities and increasingly distributed workforces.

Security leaders are also asking more critical questions about tool performance and pushing for a more shared understanding of what extended detection and response (XDR) means in the context of managing business risk.

2. Where are organizations succeeding in resilience, and where are they falling short?

Kory: Success often comes down to governance, which can either accelerate or hinder progress. When governance acts as a tailwind, it provides executive alignment and clarity around which assets and applications require the highest levels of resilience.

High-performing organizations use business impact analysis (BIA) to create a shared understanding of risk across the digital ecosystem. The goal is cross-functional alignment. Security cannot operate in isolation. It must connect directly to business outcomes such as uptime, availability, and data integrity.

Programs tend to fall short when governance becomes a headwind. In those cases, security teams feel isolated, leading to burnout and limited influence when advocating for investments in people, process, or technology.

The release of NIST CSF 2.0 has reinforced the importance of governance as a standalone discipline, something we are seeing reflected both in the data and in ongoing community discussions.

3. Nearly half of CISOs expect an AI-powered attack within the next year, yet only 29 percent feel prepared. Can organizations quickly improve their AI defenses?

Kory: It is absolutely possible to improve quickly, but the key is knowing where to focus. Threat actors are using AI without the constraints of compliance or oversight to generate malicious code and enhance social engineering.

To counter this, organizations should prioritize targeted effort over large capital investments:

  • Strengthen human defenses: AI is increasing both the volume and sophistication of phishing. Attackers are leveraging publicly available data from platforms like LinkedIn and X to improve success rates. Organizations need continuous, high-frequency security awareness programs rather than annual training.
  • Adopt continuous testing: Do not wait for audits. Implement continuous threat exposure management (CTEM). Expand red team exercises and tabletop scenarios by assuming a breach has already occurred. Identify weaknesses in externally facing systems and strengthen defenses before attackers exploit them.

4. Why do many CISOs underestimate supply chain risk despite high-profile attacks?

Kory: The challenge largely comes down to trust. Achieving full visibility into third- and fourth-party risk would require significant resources, including increased headcount.

Many organizations still treat vendor risk management as a compliance exercise, relying heavily on certifications such as SOC 2 or ISO 27001. However, these frameworks do not provide complete visibility.

We are seeing more mature programs build deeper relationships with critical vendors, asking direct questions about their security controls, such as EDR capabilities and incident response readiness. Without regulatory requirements to mandate these disclosures, trust becomes the foundation of effective supply chain security.

5. Who should lead cyber resilience efforts, and how can CISOs secure executive buy-in?

Kory: Cyber resilience ultimately needs to be owned at the board level. Regardless of industry, organizations are accountable for delivering reliable, secure services to their customers.

That said, leadership is not limited by title. CISOs, CIOs, CTOs, and GRC leaders can all act as champions. The key is translating security posture into business terms that resonate with executives.

Resilience cannot be owned by security or IT alone. It requires coordination across business units. Progress happens when organizations treat resilience as a shared responsibility rather than a siloed function.

6. How can security teams better engage business stakeholders when alignment is lacking?

Kory: Cultural change takes time, but it starts with identifying the right allies. If engagement with senior leadership is limited, legal teams can be a strong entry point.

Partnering with General Counsel helps frame security decisions in terms of defensibility and risk. Other valuable stakeholders include the CFO, CHRO, and Head of Risk.

From there, organizations should run crisis simulations or executive tabletop exercises. Walking leadership through a realistic incident scenario often creates clarity around roles, responsibilities, and the broader business impact of cybersecurity events.

7. How can organizations drive lasting culture change around cybersecurity?

Kory: There is often an overemphasis on influencing executive leadership alone. While that is important, building a strong security culture requires engagement across the entire organization.

Practical steps include increasing the frequency of phishing simulations, introducing more engaging awareness initiatives, and creating ongoing opportunities for employees to ask questions and learn.

Most employees only engage with security policies during annual compliance training. Organizations need to create continuous, accessible channels for education throughout the year.

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

You can skip this ad in 5 seconds