Dom Glavach, Chief Information Security Officer (CISO) at Black Duck chats about AI and it’s positive impact on vulnerability detection in this Q&A by CIO Influence:
___________
Hi Dom – as a modern SaaS CISO, what’s the most challenging part of your everyday role?
What I enjoy most about my role is that the challenge is the opportunity. In a modern SaaS environment, everything is moving fast, teams are continuously innovating, delivering, adopting new tools, using open source, and increasingly relying on AI, both in how our teams work and what we deliver to customers. That creates a dual challenge. On one side is the enterprise, with people using AI assistants and agents that access data, take actions, and provide decision-making recommendations. On the other side are the products themselves, AI-enabled or in AI-assisted development environments, features and solutions that we are building, and that customers depend on and trust. Both have similar yet unique risks, attack surfaces, and complexities.
The opportunity is to continuously improve a cybersecurity program that scales across both the enterprise and products; addressing the risks that matter most, implementing the right guardrails around how AI is used, and enabling people to move faster while embedding security into how products are designed, built, and deployed.
For me, the passion comes from partnering with the business to move at that speed safely, managing risk so cybersecurity becomes part of how we innovate and how we enhance customer trust.
As today’s employees independently deploy powerful, autonomous AI agents for work tasks, how should security teams transition from managing ‘Shadow AI’ to governing ‘Shadow Agents’?
Shadow AI risk is mostly about unapproved tools, sensitive data exposure, and how employees use AI-generated outputs. Shadow AI agents raise the stakes because agentic systems can connect to applications, access data, trigger workflows, change code, create pull requests, and take actions that can affect business processes as well as the software supply chain.
The transition is about governing AI like powerful digital workers through a continuous life cycle of visibility, guiderails, enablement monitoring, and refinement. I think about this as a continuous cycle of: Assess – Govern – Enable – Monitor – Improve.
Assess where AI and AI agents are being used, what problems are they solving, which systems and data are being accessed, what actions are being taken, and how AI may influence the software development life cycle.
Govern with practical, repeatable guardrails around approved use cases, data handling, and access boundaries with human-in-the-loop and on-the-loop requirements, with accountability and secure-by-design expectations.
Enable the business with validated AI and agentic solutions. When AI security creates restrictions (friction), people will find workarounds. The better model is to make the secure path the easiest path.
Monitor continuously for policy exceptions, excessive permissions, unusual data movement, odd workflow execution, and actions taken by agents or other non-human entities. This also means watching how agents affect code, dependency, build, and release workflows.
Adversaries are using AI to discover and exploit vulnerabilities in milliseconds. As a CISO, how do you train your security team to shift from manual human-speed threat detection to automated, ‘machine-speed’ defense without compromising system reliability?
AI is compressing the time between vulnerability discovery, weaponization, and exploitation. This means security teams can no longer depend on human-speed processes for detection, triage, and response. The answer is not to automate everything blindly; rather, it is to build trusted automation with human judgment in the right places.
For me, the shift is from vulnerability management as a cue to vulnerability operations as an operating model. Machine-speed defense is more than a SOC challenge; it requires connecting vulnerability intelligence, asset context, software composition, exploitability exposure, business criticality, ownership, and remediation workflows.
When new vulnerability or exploit signals appear, organizations need to answer key questions quickly: what is affected, where are we affected, is it exploitable, who owns the fix, and what’s the appropriate response?
This requires high-quality context and automation to support repeatable processes, from enrichment to evidence collection. The goal is to shorten the time between signal, context, decision, and high-confidence action.
Machine-speed resilience is not about removing humans from the cycle. It’s about moving human judgment to where it matters most: designing, validating, and governing the automation.
Also Read: CIO Influence Interview With Jake Mosey, Chief Product Officer at Recast
What tips would you share with fellow CISOs and security teams about mapping security controls to business objectives (revenue, downtime, trust) rather than just technical compliance?
Controls become meaningful when the right people own them and the right metrics show they are protecting what the business depends on.
Anchor controls to ownership. Every control should have a clear business, operational, and security ownership model. When a control protects release confidence, engineering has a role. When it protects customer trust, product and customer-facing teams have a role. When it protects revenue continuity, business and technology leaders all have a role.
Translate controls into measurable outcomes. A control should connect to something that the business cares about: fewer customer-impacting incidents, faster remediation, reduced downtime, fewer emergency releases, stronger audit readiness, and increased business continuity.
Measure behaviors and outcomes, not just activities. For example, vulnerability operations can be measured by how quickly critical, exploitable issues are identified, assigned to the right owner, remediated, and validated. Secure development can be measured by whether teams are catching issues early, reducing rework, and shipping with greater confidence.
What should CISOs rethink to stay on top of the evolving threat landscape?
We need to continuously evolve how we understand and manage the threat landscape. The pace of change is too fast to rely on annual resilience strategies, single-visit control frameworks, or manual security processes. The modern threat landscape is continuous, and the security operating model must match it.
This starts with visibility. Security teams need a clear view across identities, data access, cloud environments, software dependencies, and AI and agentic workflows. The attack surface extends beyond infrastructure; it includes how the business builds, buys, connects, and automates work.
Prioritization also needs to evolve. Security teams cannot treat every issue with the same urgency. The focus must be placed on exploitability, exposure, business criticality, customer impact, and whether the organization can realistically act on the risk.
Speed matters; but speed requires control. AI is increasing the pace of both attackers and defenders, which means CISOs must invest in automation with strong governance, validation, rollback capabilities, and human oversight where the business impact is high.
The threat landscape will continue to evolve. Our role as a CISOs is to accelerate the business while orchestrating a resilient cyber program that can continuously learn, adapt, and respond.
Five CISOs from the global SaaS market you’d shout out to?
Igor Tsyganskiy, Global CISO at Microsoft. Not only does he bring deep engineering credibility to the CISO role, and Tsyganskiy took the helm during a period of intense external scrutiny as Microsoft was responding to high-profile nation-state intrusions. He didn’t shy away from the situation, acknowledging shortcomings while moving quickly to resolve systemic risk. As a result, his organization has rebuilt Microsoft’s internal security governance model and integrated security directly into Microsoft’s Cloud and AI systems.
Andrew Dunbar, CISO at Shopify. When I think of Andrew’s tenure at Shopify, I instantly think of how well he’s scaled security as the company itself has scaled dramatically over the years. This growth in parallel has allowed him to infuse security into the actual culture of the business which also becomes a high-value trust point for customers.
Iain Mulholland, CISO at Salesforce. It goes without saying that Salesforce presents once of the world’s most complex technology environments. And Mulholland has a proven and impressive record with enterprise security, having worked in leadership roles at Google Cloud, VMware, and Microsoft before his current work with Salesforce. I admire that he champions security as an engineering discipline while also standing as a forward-looking authority on AI-native product security. There are many lessons to be learned from his cutting-edge, technical approach to enterprise security.
Dom Glavach leads Black Duck’s global security strategy across enterprise security, GRC, product security, and AI security and governance. He works closely with engineering, product, and customer-facing teams to embed security, resilience, and responsible AI governance throughout the company’s operations and the platforms and intelligence delivered to customers.
Catch more CIO Insights: Why CIOs are becoming chief risk orchestrators?
[To share your insights with us, please write to psen@itechseries.com ]
Black Duck® meets the board-level risks of modern software with True Scale Application Security, ensuring uncompromised trust in software for the regulated, AI-powered world.
Dom Glavach, is Chief Information Security Officer (CISO) at Black Duck
