Sean D. Mack
CIO/CISO and author (Enterprise Security: A Data‑Centric Approach) who discusses real‑world cybersecurity leadership conversations and enterprise risk focus areas.
NYC's Cinco De Mayo: Tacos, But Expect Hours
Cinco de Mayo in midtown Manhattan means deciding whether you want to wait one hour for tacos or two hours for tacos. NYC, never change.
Security Vendors Must Own AI, Not Serve It
GenAI is going to augment nearly every layer of the security stack. The interesting question for vendors is not whether the stack disappears. It is whether you become a feature of someone else's AI, or whether AI becomes a feature of...
Decentralized Teams Scale Better Than Centralized Command
Happy May the 4th! The most underrated leadership lesson in Star Wars is structural, not spiritual. The Empire ran centralized command and control. The Rebellion ran small, autonomous teams making local decisions. Half the enterprises I work with are still figuring...
AI‑First GRC Turns Risk Assessments Into Immediate Action
Working on launching a new GRC platform, Cygnal. AI first, risk first. The interesting part is not the technology, it’s how quickly we can turn assessment into action. Super excited about what we are building and the value this is already...
Prioritize Real-Time Business Threats Over Mere Documentation
I keep coming back to this: The goal is not to document risk. The goal is to understand what could actually hurt the business today.
AI Threats Accelerate: Speed, Automation, Availability Redefine Risk
There’s a lot of noise around AI threats like Mythos. From what I’ve seen, the techniques are not new. What is new: speed automation availability Anyone can now operate at a much higher level than before. That changes the game. If you're not one of the...
Assess Your Cyber Risk in the AI Era
Do you actually know your cyber risk? Join us for an upcoming webinar on cyber risk in the age of AI. The core question is simple but but hard to answer for many. Register now: https://buff.ly/1TfqYzt
CIO‑CISO Misalignment Leaves Enterprise Risk Owner Undefined
The CIO CISO alignment issue is still one of the biggest gaps I hear about in my daily conversations with technology leaders. Who actually owns enterprise risk? And how are you managing alignment across your organization? Check out the latest...
Choosing CTEM vs ASM: Which Delivers More Value?
Are you using CTEM or ASM for your organization? Interested to know how you've integrated these tools into your security operations? What’s delivering the most value?
AI Builds Apps Fast, but Google Mispronounces My Street
It continues to baffle me that AI can now rapidly develops applications from scratch and yet Google Assistant still can’t pronounce the name of my neighborhood "Peck Slip".
Musk's AI Safety Claims Clash with His Aggressive Ventures
It might just be me, but Elon Musk positioning himself as a champion of AI safety, in court, no less, is a tough sell. This is someone actively building one of the most aggressive AI companies in the market.
Link Cyber Risk Directly to Financial Outcomes, Not Just Controls
How are you actually measuring cyber risk today? Frameworks are helpful, but they don’t always translate cleanly to business impact. Are you tying risk to financial outcomes or still working mostly in controls and maturity?
Join a No‑Pitch Virtual Roundtable on Transport Security
I'll be hosting a virtual roundtable tomorrow on securing transport systems. No pitches, just real discussion with cybersecurity leaders. Great way to network and learn. If you're interested, register now at: https://buff.ly/L7CxprA
NYC Cybersecurity Leaders: Join AI‑MDR Dinner Roundtable
Cybersecurity leaders in the NYC area: I'll be hosting a roundtable dinner this Thursday on MDR in an AI world. Small group, free food and drink, no vendor pitches. If you're interested in joining you can register now: https://buff.ly/ph28llE
Quitting Threads, Yet Still Posting About It
Me: I'm quitting Threads and saving hours every week. My wife: Wait are you posting that to Threads right now? Me: ... ...
AI Reliability Engineer: The Future Code Orchestrator
There is a new role is that is needed in the world of AI: The AI Reliability Engineer. The developer of the future will be an orchestrator of agents, a master at understanding code management, a new breed that can...
AI Adoption Outpaces Ops Discipline, Creating Risk Gap
I have been thinking a lot about how quickly teams are adopting AI tools. The gap between experimentation and operational discipline is growing. That gap is where most of the risk is right now.
Mid-Size Firms See Cybersecurity as Essential, Not Optional
From ISMG: cybersecurity is becoming a must have for mid sized firms, not a nice to have. https://buff.ly/HzPfKHs The interesting shift is not the decision to invest. It is how organizations are deciding what actually moves the needle.
Prioritizing Cyber Risks Beats Mere Awareness
One of the hardest parts of cybersecurity right now is not awareness. It is prioritization. Everyone knows there is risk. Few teams are aligned on what matters most. How do you know if you're tackling the most important risks for your organization?
Seeking Best Practices for Managing Multiple AI Coding Agents
Are you managing multiple AI coding agents? If so, how are you doing it? Are you using an orchestration tool? Another agent to manage the agents? I'm starting to work with Claude Agent Teams and as well as just running multiple...
AI Forces Firms to Rethink Build‑vs‑buy Decisions
One of the more interesting comments from a recent roundtable: A large financial institution is re-evaluating build vs buy across their entire stack because of AI assisted development. Including major SaaS platforms. Are you rethinking this right now? Does AI truly change...
AI Tools Free Time to Focus on Product
Spent more time with AI assisted development this weekend. I spend less time thinking about code and more time thinking about the product.
AI Security Shifts to Governance, Data Control, Real Risk
Great roundtable in NY last week with Zscaler on securing the next wave of AI in financial services. The conversation has changed. Less hype, more focus on governance, data control, and real risk.
AI Security Fundamentals Unchanged, Just Faster and Messier
I keep hearing “AI security is different.” Not sure I buy that. Most of what teams are dealing with looks very familiar, just faster and messier. Shadow AI, identity, third parties. We’ve seen all of this before. The tooling changed. The fundamentals didn’t.
AI Advances Outpace Organizational Operating Models
Feels like we are still very early in figuring out how AI fits into real organizations. The technology is moving fast, but the operating models are still catching up.
Leadership Requires Choosing Between Competing Tradeoffs
A lot of leadership comes down to tradeoffs that do not have clean answers. Speed vs risk, centralization vs autonomy, innovation vs control. You rarely get to optimize for all of them at once.
Tools Are Easy; Business‑focused Risk Understanding Is Hard
The more time I spend in security, the more I believe tools are the easy part. Understanding risk in a way the business cares about and then acting on it is where most teams struggle.
Seeking Real‑World CTEM Platform Success Stories
What is your favorite CTEM platform right now and why? Less interested in feature lists and more interested in what is actually working in production.
Evaluating Real Value vs Noise in CTEM Platforms
Are people actually getting value out of your CTEM platforms? I see a lot of interesting capabilities, but I am still trying to separate what is useful from what is just noise.
Even AI Can't Automate My Expense Reports—Need an Agent
We have AI writing code, generating content, analyzing data, and yet I am still doing expense reports manually. Feels like one of the most obvious use cases for an AI agent and yet... If someone has and AI agent that could...
Agentic AI Security Needs Layered, Integrated Defenses
We keep asking how to solve agentic security as if there is a single answer, but most of the conversations I am having suggest it is a combination of least privilege, access controls, monitoring, and good architecture. The question might not...
SMBs Know Basics; Prioritize What Truly Matters
For SMBs, cybersecurity is rarely a knowledge problem. Most teams know the basics. The challenge is figuring out what actually matters for their business and doing that well.
New CXO Advisor Services Cut Cyber Risk Fast
We are expanding CXO Advisor with new services across pen testing, incident response, and transformation. The goal is to fundamentally help companies reduce their cybersecurity risk. If you are trying to improve your security posture in a practical way, happy to...
NYC Cyber Leaders: Join Roundtable on Secure AI
If you are a cybersecurity leader in NYC, I'll be hosting a roundtable this Thursday on secure AI adoption. Small group, strong peer set, and candid discussion about what is actually working and what is not. Free food, drinks, and great...
AI Success Depends on Operating Model, Not Just Technology
One thing I keep coming back to is that AI is less of a technology decision and more of an operating model decision. The companies that get this right are thinking about ownership, workflows, and accountability, not just which models...
Embedding AI Organization-Wide Mirrors Early DevOps Evolution
Do you have an AI org or are you embedding AI across existing teams? This feels very similar to early DevOps where everyone was spinning up dedicated teams and roles, but over time it became something that had to be...
AI Coding Boosts Enterprise Productivity—But How Much?
What is the actual impact of AI assisted coding in large enterprises? I am personally pretty blown away by what I can build with it but at scale I rarely hear specifics on the impact. Are large teams actually 10% faster...
Agentic AI Identity Needs Integrated Control System, Not One Solution
Great roundtable in Boston last week with Okta on identity for agentic AI. The biggest takeaway for me is that no one really knows how to solve this challenge yet. People are looking for a single solution when the reality...
Seeking Real-World Feedback on SAFE GRC Platform
Do you use the SAFE GRC platform? Had a chance to see it at RSAC and was impressed but don't hear from many folks using it. Would love to hear real-world feedback from current users.
Exploring Agentic AI's Impact on Large Development Teams
Are you using agentic AI in your development teams? Working with it individually has been powerful. Very curious how this translates to large codebases and teams.
Shadow IT Evolves: From User Shortcuts to Autonomous Systems
Shadow IT used to mean people using tools without approval. Now it can act on its own.
Seeking User Priorities for New AI‑Native GRC Platform
What is the most important thing you want in a GRC platform? We are building something new, AI-native from the ground up. Would value input from people actually using these systems day to day.
AI Coding Frees Developers to Focus on Product Vision
I've been spending a lot of time on AI assisted development and I continue to be blown away. What I like most is not the speed (although that's impressive) but the ability to focus on the bigger issues: how the...
AI‑Assisted Development: Incremental Boost or Enterprise Transformation?
What is the real impact of AI-assisted development in large enterprises? On personal projects, it feels like a step change. At scale, I am not sure yet. Is it incremental or transformational?
AI Security Mirrors Existing Controls, Not a New Paradigm
Is AI security actually different? The categories look familiar: Shadow AI, Shadow IT Agent identity, IAM AI vendors, TPRM So what is fundamentally different about security for AI related threats?
AI Agents Behave Like Users, Not Service Accounts
AI agents are not service accounts. They are closer to users accounts, but more complex. They act on behalf of others. They change behavior. They can create more agents. How are you handling Agentic identity?
Autonomous Agents Pose a New Large‑scale Threat
An agent with a goal and agency can do real damage. We used to worry about compromised accounts. Now we need to worry about autonomous decision-making at scale. That is a very different risk model.
Teams Still Operate Security Without a Dedicated CISO
What surprised me in recent discussions is not the threats. It is how many teams are still trying to manage this without dedicated leadership. How are you structuring security if you do not have a CISO?
Seeking Real‑World OpenClaw Use Cases and Experiences
Anyone using OpenClaw? Very interested to hear how folks are using it? What's your favorite use cases?
AI Finally Closes Search Loop, but Trust Remains Uncertain
The evolution of search has always been "Find". Google never got there but, now, AI has. AI is the first time it feels like the loop is actually closed. But it raises a new question: How much do you trust the answer?