Blog

Q&A: A CIO’s Perspective on Trust, Control, and AI at Machine Speed

As cyberattacks compress from days to seconds, security leaders are being forced to rethink not just their tools, but their operating models. Following Ontinue CISO Gareth Lindahl-Wise’s recent article on building trust in automated response, we sat down with Thai Vong, CIO of ACR, to explore how these shifts are playing out from the enterprise side – and what CIOs must do differently now.

Q1: Gareth argues that the traditional “detect, analyze, escalate, decide” model no longer works at machine speed. From your perspective as a CIO, what has fundamentally changed?

What’s changed is not just the nature of the threat, it’s the time available to respond.

We used to operate under the assumption that there was a window to collaborate, escalate, and get alignment before taking action. In many environments, that was a reasonable assumption.

Today, it isn’t.

Once an attack is in motion, the timeline compresses to seconds. At that point, you’re no longer operating in a governance window, you’re operating in an execution window.

For CIOs, that forces a shift in mindset. The question is no longer “How do I stay in control of every decision?” It becomes “How do I design an environment where approved actions can happen quickly, consistently, and within the boundaries we have already established?”

At machine speed, control can’t depend on real-time approvals. It must be built into the environment before an incident occurs.

Q2: That idea of redefining control is a big theme. What does “control” actually mean to you in an AI-driven security environment?

Control, in this context, is less about intervention and more about design.

It’s the work you do upfront to define boundaries, responsibilities, and acceptable actions before an incident ever occurs. That means being explicit about which assets can be acted on automatically, what conditions should trigger a response, and how those actions can be reversed if needed.

In many ways, manual approval has traditionally been equated with control, but that model doesn’t scale in a time-compressed environment. When decisions need to happen in seconds, inserting people into the middle of the process becomes a constraint rather than a safeguard.

Manual approval is not control if it arrives too late.

Real control comes from having confidence in the system you’ve designed; confidence that it will stay within the boundaries you’ve set and take the actions you’ve already approved, even when you’re not directly involved.

For me, control means the organization has already agreed on the rules of engagement, including what can happen automatically, what requires human review, what needs escalation, and how we recover if something needs to be reversed.

Q3: Many CIOs are investing heavily in AI right now. Where do you see it delivering the most value in security today?

The biggest value from AI right now is helping organizations manage both complexity and speed at the same time.

Modern security environments are highly fragmented, spanning cloud platforms, endpoints, identities, and often a mix of inherited systems from growth or acquisition. That fragmentation makes it difficult to operate consistently, especially under time pressure.

AI helps introduce greater consistency across that complexity. It helps accelerate detection and analysis, reduces the reliance on manual triage, and enables a more predictable and repeatable approach to response.

It’s not really about doing something entirely new. It’s about doing the right things more reliably, and doing them at a scale and speed that aligns with how both the business and the threat landscape are evolving.

That distinction matters. AI isn’t replacing people or judgment. What it does well is help teams make decisions faster and more consistently, especially when they’re dealing with a large and complex environment.

For organizations growing through acquisition, that becomes even more important. You’re often bringing together different systems, different processes, and different levels of maturity. AI can help bring consistency to environments that are still being integrated, which is often exactly when the business is moving fastest and risk is hardest to see.

Q4: And where are you still cautious? What are the risks CIOs need to manage when adopting AI in security?

The primary risk is introducing AI into an environment that isn’t ready for it.

If roles, responsibilities, and decision rights aren’t clearly defined, AI doesn’t solve that problem; it amplifies it.

There are three areas I focus on:

  • Governance and accountability: Who owns the outcome of automated decisions?
  • Scope discipline: Being explicit about what can and cannot be automated
  • Reversibility: Ensuring actions can be rolled back quickly if needed

There’s also the broader issue of “AI sprawl” with tools being introduced faster than they can be governed.

So the objective isn’t speed without control. It’s speed because control is already embedded.

AI does not create discipline. It exposes the strengths and weaknesses that already exist in your organization.

That is why CIOs need to be deliberate in how they adopt and scale AI. Before introducing automation into security operations, there must be clear ownership, defined risk tolerances, established exception processes, and accountability for outcomes. Without those foundations, AI simply accelerates existing gaps and inconsistencies rather than solving them.

Q5: Gareth talks about the need to pre-authorize response and remove decision bottlenecks. In practice, how hard is that for organizations to implement?

It’s harder than it sounds, because it’s not just a technology problem, it’s an organizational one.

What you’re really asking teams to do is shift how decisions get made. That means building trust in systems they haven’t historically relied on, agreeing in advance on where decision boundaries sit, and moving from a model where decisions are made reactively in the moment to one where they’re designed proactively ahead of time.

That kind of change doesn’t happen in isolation. It requires alignment across security, IT, risk, and often the broader business. And that alignment can be difficult, because it forces organizations to be explicit about risk tolerance, ownership, and accountability.

But the alternative is trying to make those decisions in the middle of an incident, under pressure and with limited information, which is exactly when decision-making breaks down.

The organizations that make progress here are the ones that recognize this isn’t just about deploying new tools. It’s about redesigning how response decisions are made, so that action can happen at the speed the threat environment now demands.

You cannot govern in real time what you failed to establish in advance.

That is where leadership matters most. Pre-authorized response is not a technology decision; it is a business decision grounded in trust, accountability, and risk tolerance. The most effective organizations make those decisions before an incident occurs, when there is time for thoughtful discussion and alignment, rather than during a crisis when every second counts and options become limited.

Q6: Your business has scaled significantly, including through M&A. How does that complexity influence your approach to security and automation?

M&A introduces a level of variability that you can’t ignore: different environments, different configurations, and different levels of maturity all coming together at once.

You’re not starting from a clean slate. You’re inheriting systems, processes, and risk profiles that weren’t designed to work together, and at the same time, the business expects integration to happen quickly and without disruption.

That creates a real balancing act. On one hand, you need to move fast to support the business. On the other, you need to ensure that risk doesn’t increase as complexity grows.

In that context, standardization and automation become essential. They’re not about optimization; they’re about creating consistency across environments that were never consistent to begin with.

Without that layer of standardization, complexity scales faster than control. With it, you establish a more predictable and repeatable model, even as the organization continues to evolve.

That is especially important in a supply chain business, where disruption rarely stays confined to IT. A security event can ripple across customers, operations, suppliers, and partners, impacting not only business performance but the trust and reliability the organization has worked hard to earn.

For me, security and automation are not activities that happen after integration; they are foundational to it. They enable the business to move quickly while maintaining control, consistency, and resilience. If security is treated as an afterthought in the integration process, the organization is already operating from a position of risk.

Q7: What role do partners play in helping CIOs make this transition?

Partners play a critical role, particularly as environments become more complex and the pace of both operations and threats continues to accelerate.

From a CIO’s perspective, it’s not just about accessing additional technology. It’s about working with organizations that bring operational maturity, proven response patterns, and the ability to operate consistently across multiple environments. Those factors become increasingly important as scale and complexity grow.

One of the key advantages external partners bring is perspective. They see patterns an internal team may only encounter once, or may not see until it is already under pressure.

That breadth of experience helps reduce uncertainty. It allows CIOs to move faster and with more confidence, particularly when it comes to adopting automated and pre-authorized response models.

The right partner doesn’t replace accountability. The CIO and the business still own the outcome. What a strong partner provides is scale, operational experience, and the ability to turn strategy into consistent execution across a complex environment.

That becomes increasingly important as teams are asked to do more with less. Most organizations don’t need more tools, more dashboards, or more alerts. They need the ability to act decisively, consistently, and at the speed the business requires.

Q8: If you had to give other CIOs one piece of advice as they navigate this shift to AI-driven security, what would it be?

The most important thing is to start with the decision model, not the tool.

There’s a tendency to look at AI as the solution, but if you haven’t clearly defined how decisions are made, what can be automated, and where your boundaries sit, then introducing AI will often expose gaps rather than close them.

From a CIO’s perspective, this is really about clarity. Who owns decisions? Under what conditions can action be taken? Where are the exceptions? Those are the foundations that need to be in place before you start layering in technology.

If you get that right, AI becomes a powerful extension of your team. It allows you to operate with a level of speed and consistency that simply isn’t possible otherwise.

But the real work isn’t the adoption of AI itself. It’s building the trust, governance, and response model that allow the organization to act with confidence at machine speed.

My advice to CIOs is simple. Don’t mistake deploying AI for being ready to use it. Buying the technology is the easy part. Readiness comes from understanding where it fits, what decisions it should support, what risks it introduces, and how you will govern it before it becomes part of your security program.

The CIO’s role is to make sure AI strengthens the business, not just accelerates the noise.

Sharing
Keywords