Afternoon Cyber Tea with Ann Johnson

Episode: The New Reality of the CISO Role

Guest: David Gee, veteran CISO/CIO, board advisor, and author
Date: January 20, 2026

Episode Overview

In this episode, Ann Johnson sits down with David Gee, a renowned CISO, CIO, and author, to dissect the evolving landscape of the Chief Information Security Officer role. Through practical anecdotes, real-world advice, and hard-earned wisdom, they uncover the challenges, risks, and necessary mindset shifts that current—and future—CISOs must embrace. The conversation demystifies common misconceptions and addresses the interplay between technology, business, and human leadership in an era defined by AI, regulation, and constant cyber threat.

Key Discussion Points & Insights

1. The Myth vs. Reality of the CISO Role

Timestamps: 01:07–04:00

• Dangerous Assumption: New CISOs believe they must instantly know everything and be perfectly equipped for the role. The reality is learning on the job and embracing discomfort is necessary for growth.
• Imposter Syndrome: Accepting the need to "grow into" the position is both normal and healthy.
• Background Diversity: CISOs hail from various domains—accountancy, law, compliance—bringing unique strengths and skills, and often have to learn technical aspects on the job.

“To fail in your first CISO role is maybe normal... trying to embrace that and reflect on yourself and how do you then step into and start to be more comfortable in that uncomfortable situation is really part of the growth.”
— David Gee [01:23]

2. Balancing Security, Business Enablement, and Compliance

Timestamps: 04:00–05:50

• CISO as Enabler, Not the ‘Department of No’: Success comes from clarifying the top risks, enabling business processes, and achieving compliance—always in that order.
• Prioritization: True security leadership involves discerning and defending against the biggest risks (which may not always align with the official roadmap or regulatory demands).
• Collaboration: CISOs must work cross-functionally, integrating security into customer experience and operational processes like DevSecOps.

“You can’t please everybody. But also, you can’t be seen as the department of no. You can’t be saying no, no, no to everything... your job is to help enable the business and not just block things.”
— David Gee [04:15]

3. Resetting Expectations and Making the Job Sustainable

Timestamps: 05:50–07:21

• Shared Ownership: Security is a team sport, with responsibility distributed among C-suite peers—Chief Data Officers, CIOs, CTOs, and CISOs must collaborate.
• Risk Culture: The success of the CISO and the organization’s risk posture depends on embedding responsibility for data and cyber across the business.

“If you’re the Chief Data Officer, you own the classification piece, I help you with identification, and ... the CTO needs to make sure of the backups... there’s a bit of a team aspect to this... As a CISO, you will fail if you just rely on yourself to do this role and your team.”
— David Gee [06:34]

4. Durability and Evolution of the CISO Role

Timestamps: 07:21–09:42

• Challenge of Longevity: The regulatory and threat environment is harsh; incidents can trigger multiple regulations, and board understanding varies.
• From Defense to Strategy: Technical acumen is vital, but strategic alignment with board priorities and business transformation is now essential.

“The environment’s harsh. The regulations... are definitely challenging. And you get an incident [that] could actually invoke three or four different regulations... the CISO being that technical person is important, but... the board needs to be convinced that you understand their strategy.”
— David Gee [07:41]

5. The Influence Imperative and the AI Era

Timestamps: 09:42–11:27

• Shift from Control to Influence: With split CIO/CDO roles, influencing without direct authority is vital.
• CISO as AI Orchestrator: Instead of being a spectator, CISOs need to proactively onboard and ‘manage’ AI in the business, guiding people and bot collaboration, ensuring proper oversight, and preventing ‘shadow AI.’

“Your job as the CISO is not actually to be a spectator. Your job is to be in the game... making sure I’m onboarding all AI... not have this sort of shadow AI thing happening.”
— David Gee [10:32]

6. Board Engagement and Perception

Timestamps: 11:59–13:10

• Boards Are Still Anxious: Many board members, often from non-technical backgrounds, are worried about the aftermath of breaches but unsure how to guide cybersecurity strategies.
• Rise of AI: Boards see both the threat surface and the business potential of AI, necessitating even clearer articulation from CISOs.

“Boards are afraid of cyber security still... They kind of understand that actually this is a bad thing. Now, the tricky part is... what do you do about it?”
— David Gee [12:11]

7. Pragmatic AI Adoption in Defense

Timestamps: 13:10–14:23

• Defensive AI: CISOs must evaluate energetic/agentic AI to automate toil, reinvest gains in core security processes, and move quickly—threat actors already are.

“Look at agentic AI to take manual toil out of your system, take that savings and put it into things like the SOC and penetration testing... accelerate that process.”
— David Gee [13:37]

8. Mentorship, Learning, and Leadership Qualities

Timestamps: 14:23–17:55

• Mentorship Deficit: The loneliness and intensity of the CISO role makes mentorship difficult but critical. True mentorship should convey insights leaders wish they'd had early in their careers.
• Management vs. Leadership: The most important thing for CISOs is not just time management, but strategic priority management and reflection. Experience and behavior matter more than credentials as careers advance.

“Mentorship happens at all levels, not just for the newbies, but also in mid levels. And even senior people need to learn from others... That’s important to reinforce and give us courage to know we’re doing the right thing.”
— David Gee [15:52]

“Priority management and time management are not the same things. Priority management is more strategic... When you have that ability to think about things and reflect on what’s important, you can often make the right decisions.”
— David Gee [16:54]

9. Leadership, Team Development, and the Future Workforce

Timestamps: 18:17–21:30

• Coaching for Team Performance: Great leaders draw out the best in each team member, focusing on both skills/knowledge and, crucially, experience/behavior.
• AI as Team Member: The leader’s job will increasingly include coaching both humans and bots for optimal results.

“As a leader, you come in and you inherit a team... My job is to make sure Ann’s always operating at the best level she can... in the future Ann, David, and John [will be] working with bots.”
— David Gee [19:14]

10. Board Advice and Risk Culture

Timestamps: 21:30–22:59

• Strategic Influence: CISOs moving from operational to strategic influence must be bold in quantifying risk, set the right metrics, and rally the organization as a team.

“Have the courage and conviction to be bold in your prediction, but also then give yourself an out... it’s all of us, not just my team.”
— David Gee [22:08]

11. Optimism for the Next Generation

Timestamps: 22:59–24:14

• Hope for the Future: Emerging leaders are smarter, more eager to learn, and understand the necessity of teamwork. The landscape is Darwinian, but persistence and collaboration fuel optimism.

“The new leaders coming through are smart... they’re wanting to get input which I think is going to help them grow ... we can actually succeed in the long term. So it’s going to take a real team effort.”
— David Gee [23:23]

Notable Quotes & Memorable Moments

• “Embracing the uncomfortable is hard for a lot of people ... when people embrace the uncomfortable, you actually give the space for folks to help you along, right?”
  — Ann Johnson [02:10]

• “Your job as a CISO ... is not to be a bystander. It’s to be a leader and to partner with others, and to drive your team, not in isolation but with the right stakeholders around the table.”
  — Ann Johnson [11:27]

Summary Table of Key Segments

| Topic | Timestamp | |-------------------------------------------------------|-------------| | The Theory vs. Reality of CISO | 01:07–04:00 | | Prioritization & Enabler Mindset | 04:00–05:50 | | Whole-Organization Risk Ownership | 05:50–07:21 | | The Challenge of Durable Leadership | 07:21–09:42 | | Influence in the Age of AI | 09:42–11:27 | | Board Perception & Security Governance | 11:59–13:10 | | Integrating AI Defensively | 13:10–14:23 | | The Mentorship Gap in Cybersecurity | 14:23–17:55 | | The Leadership Equation—Humans and Bots | 18:17–21:30 | | Elevating CISOs to Strategic Influence | 21:30–22:59 | | Optimism for Emerging Cybersecurity Leaders | 22:59–24:14 |

Final Takeaways

• The CISO role today is about adaptability, influence, and teamwork—not just technical mastery.
• Success comes from embracing discomfort, strategic prioritization, and collaborative leadership, especially as AI becomes integral to both business and threat landscapes.
• Mentorship and shared learning across all career stages are essential to evolve the next generation of CISOs.
• Boards, organizations, and CISOs alike must move forward together, translating fear and confusion into shared risk management and opportunity.