The Corporate Director Podcast
Episode: "Cybersecurity in the Age of AI"
Date: July 23, 2025
Host(s): Dottie Schindlinger (Diligent Institute), Megan Day (Diligent)
Guest: Nick Shevilyoff (Founder & Managing Partner, VCISO AI; Author, Cyber War and Peace)
Episode Overview
This episode of The Corporate Director Podcast delves into how the rapid adoption of AI is transforming both the business and cybersecurity landscapes. Hosts Dottie and Megan converse with cybersecurity veteran Nick Shevilyoff, exploring the profound risks and opportunities AI introduces, the balance between human oversight and automation, and actionable strategies for boards to navigate this new era safely and effectively.
Key Discussion Points & Insights
1. The Rapid Pace of AI Adoption and Board Readiness
- AI is accelerating change in companies: The hosts highlight how organizations are struggling to keep pace with AI advancements.
- Stat alert: Only 10% of global companies are deemed "future ready" for AI according to an Adecco survey of 2,000 C-suite leaders across 13 countries. (01:25)
- Leadership & Training Gaps: Even though 60% of companies expect employees to adapt to AI, a third don’t have any policies in place. (02:45)
“It’s like putting them on a rocket ship, giving them a jetpack and saying, good luck, see you in outer space.”
— Megan Day (05:23) - Education is critical: Diligent is investing in robust education initiatives for AI ethics, oversight, and practical guidance for directors and executives. (03:21–05:23)
2. The AI-Cybersecurity Nexus: New Risks & New Tools
Guest Introduction: Nick Shevilyoff
- Background: 30 years in cybersecurity spanning government, consulting, and as CSO for Silicon Valley Bank.
- Focus: Now leads an advisory firm at the intersection of cybersecurity and AI, and authored "Cyber War and Peace." (07:27–08:53)
AI's Double-Edged Sword in Cybersecurity
- Attackers and Defenders Both Empowered
- AI enables developers to build solutions faster, but also allows cybercriminals to launch high-quality attacks at scale:
“Generative AI empowered everyone. It made developers be able to develop faster... but it also made the bad guys, the threat actors, be able to scale.”
— Nick Shevilyoff (09:52) - Notably, spear phishing and business email compromises are more frequent and sophisticated, now combining:
- Mass personalization
- Deepfakes (audio/video)
- Real-time social engineering (10:10–12:04)
“Now you’re seeing video transmissions, Zoom calls requesting those money transfers, and they’re really fake.” — Nick Shevilyoff (11:24)
- AI enables developers to build solutions faster, but also allows cybercriminals to launch high-quality attacks at scale:
How AI Is Helping on Defense
- AI-Driven Detection and Response
- AI tools such as endpoint detection and remediation (EDR) are more effective due to their architecture and access to data.
- Managed Detection and Response (MDR) can now auto-respond to threats in seconds, reducing "mean time to detection/response" from hours to seconds. (15:49)
“That could take minutes and hours... You’re now seeing AI technologies called Managed Detection and Response auto monitor these EDR alerts and auto respond in seconds...”
— Nick Shevilyoff (16:10–17:24)
- Importance of Data
- AI effectiveness depends on the quality of the data it is trained on.
3. Boardroom Perspectives: Oversight, Reporting & Strategy
Key Questions and Practices for Boards
- Does the board have true tech/AI expertise? (17:47)
- How is the company measuring and reporting the effectiveness of AI adoption, especially in cybersecurity?
- Are new AI-driven forecasts and analytics being properly integrated into decision-making?
“The rate of change that we are experiencing today is likely the slowest rate of change that we’ll ever experience again.”
— Nick Shevilyoff (18:57)
Human vs. Automation: Finding the Right Balance
- Traceability and Explainability: Organizations must ensure AI processes are understood, explainable, and interventions are triggered when necessary. (20:04)
“That which may be automated should be automated, but then controls should be put into place to measure deviations from means that we decide to be critical.”
— Nick Shevilyoff (20:15) - Measurement & Reporting: If you can't measure it, you can't manage it—and vice versa.
CISOs, Boards & Modern Reporting
- Connect cybersecurity reporting to business strategy and outcomes, not just technical metrics.
- Use agile principles to balance planned vs. unplanned work; unplanned (security incidents) can erode value if not controlled. (22:22)
- AI tools now enable swifter policy design and even automation of software development and quality assurance—transforming how work and defense is delivered. (24:00)
4. Cyber Defense Recommendations in the Age of AI
- Adopt New & Proven Technologies: Stay current with AI-native security tools that match the speed of attackers. (25:52)
- Never Forget Cyber Hygiene: Old-fashioned basics—like secure, verified backups—are still crucial, especially against ransomware.
“Good old backups and good hygiene are what’s saving a lot of organizations. So...excellence in the basics, right? What are the basics? And have excellence in those basics is key.” — Nick Shevilyoff (26:45)
5. Should Boards Have an AI Expert? The Debate (Post-Interview Reflection)
- The “Three Digitally Savvy Directors” Rule: Referencing MIT research, having at least three digitally savvy board members is a key uplift for outcomes and risk management. (28:09)
- Generalist vs. Specialist?: The goal should be a digitally literate board, not just a single domain “expert.” (29:18)
"What AI is doing is...upending business models. It is like the conversation we had 10 years ago around digital transformation in the boardroom. It’s that conversation on steroids because it touches every aspect of how a company operates."
— Megan Day (31:17) - AI is Not a Vertical—It’s in the DNA: In a decade, every company will be an AI company, just as every company is now an internet company. (32:03)
- But Guardrails are Still Needed: Rapid change and excitement shouldn’t eclipse the need for strong oversight—“guardrails”—and readiness for the negative possibilities as well as the positive.
Notable Quotes
| Timestamp | Speaker | Quote | |-----------|---------|-------| | 01:25 | Megan | “Only 10% of the companies surveyed globally are considered future ready when it comes to AI…” | | 05:23 | Megan | “We’re giving people... a jetpack and saying, good luck, see you in outer space.” | | 09:52 | Nick | “Generative AI empowered everyone... but it also made the bad guys, the threat actors, be able to scale.” | | 11:24 | Nick | “Now you’re seeing video transmissions, zoom calls requesting those money transfers, and they’re really fake.” | | 16:10 | Nick | “You’re now seeing AI technologies called Managed Detection and Response auto monitor these EDR alerts and auto respond in seconds and not minutes and hours.” | | 18:57 | Nick | “The rate of change that we are experiencing today is likely the slowest rate of change that we’ll ever experience again.” | | 20:15 | Nick | “That which may be automated should be automated, but then controls should be put into place to measure deviations from means…” | | 26:45 | Nick | “Good old backups and good hygiene are what’s saving a lot of organizations. So...excellence in the basics, right?” | | 28:09 | Dottie | “Once you have three digitally savvy board members in the room, everything goes better. Your growth goes off the charts, your risk goes way down, the company explodes.” | | 31:17 | Megan | “What AI is doing is... it is upending business models. ... It’s that conversation on steroids because it touches every aspect of how a company operates.” | | 32:03 | Dottie | “It’s the best equivalent that I can think of is the Internet. ... AI is going to very quickly become technological DNA.” |
Timestamps for Important Segments
- 00:54 – Pacing of AI adoption and organizational readiness (Adecco survey)
- 03:21 – Education & policy gaps around AI in companies
- 07:27 – Nick’s background in cybersecurity and book context
- 09:52 – How AI has transformed cyber threats—scale of spear phishing, deepfakes
- 12:49 – AI-powered defensive tools and their effectiveness
- 15:49 – Example: AI reducing time to detection/response
- 17:47 – What boards need to focus on: skillsets, measures, and reporting
- 20:04 – Balancing automation and human oversight in security
- 22:22 – Connecting cybersecurity to business strategy and agile methods
- 25:52 – Recommendations for cyber defense: new tech vs. hygiene
- 28:09 – Should boards have an “AI expert”? Reflections on board composition
- 32:03 – AI as an inevitable part of business DNA & need for guardrails
Memorable Moments
- Megan’s rocket/jetpack analogy (05:23)
- Nick’s “slowest rate of change” forecast (18:57)
- Dottie’s reflection on the “three digitally savvy directors” rule (28:09)
- Real-world illustration of AI tools coding and QAing overnight, with “two phones” experiment by Nick (24:52)
Tone & Language
The conversation is direct, pragmatic, and often lighthearted—mixing candid warnings with humor (“Pollyanna for the apocalypse”), while maintaining a focus on practical governance advice.
Final Takeaways
- Boards must prioritize digital and AI literacy—not just outsource the expertise.
- AI raises both the stakes and the speed for defenders and attackers.
- Most companies lag behind on AI readiness and need both robust education and clear policies.
- Human judgment, strategic oversight, and “excellence in the basics” remain indispensable in the age of AI.
- The future will belong to companies whose boards and leaders build AI—and digital—expertise into their DNA.