More than 70 percent of security operations center analysts suffer from burnout severe enough to impact their personal lives. Every vendor in the market promises to solve this with automation.
And yet Dave Brown, CISO and CIO at Andesite.ai and author of "The Lean CISO: Bootstrapping Cybersecurity in Startups," argues that full automation is exactly the wrong answer.
In a recent episode of Hash It Out, Brown sat down with Virtru CMO Matt Howard to discuss why the CISOs who win the next decade won't be the ones who outsourced everything to AI. They'll be the ones who augmented organizational intelligence while protecting judgment, accountability, and context as everything around them accelerates.
Watch the full conversation or keep reading for the key insights from their discussion.
Howard opened the conversation by asking Brown to define two words that came up repeatedly in previous conversations: pragmatic and business-aligned. These terms get thrown around in security circles, but Brown's definition cuts deeper than the usual platitudes.
"The first 90 days is ultimately determining what are the business priorities and designing a cyber strategy that aligns to and supports the business as a business enabler," Brown explained.
"Too often I've heard fellow CISOs come in and say, I'm gonna do a security assessment against NIST. Well, that's great. But then how does that tell the business how you're there to help them?"
Brown's framework centers on integration. If you don't integrate as part of the business, you will never be seen as anything other than a cost center. At Andesite.ai, this meant building what Brown calls "compliance high," architecting to the most stringent standards across government, financial services, and healthcare from day one. The company maintains 18 compliance standards and over 500 controls with quarterly auditing. But these aren't checkboxes. They're business enablers that allow Andesite to partner with risk-averse federal agencies and enterprises.
Brown recounted a moment when a CEO refused to sign a partnership contract until he could meet Andesite's CISO. The executive wanted to confirm that Brown understood why certain compliance standards mattered. After one conversation, the CEO signed the contract on the call. That meeting crystallized the shift happening across the industry: security leaders are becoming decision-makers in partnership conversations, not afterthoughts in procurement.
Howard pushed on a tension every CISO faces: data creates value when it moves, but movement creates risk. How do you protect data without locking it down so tightly that the business can't function?
Brown's answer centers on sovereignty and control. At Andesite, customer data resides in customer systems. When data must be shared with federal contractors or business partners, Brown's team uses tools like Virtru to maintain granular control. They can share Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) with the ability to expire or revoke access after the fact.
"The idea that continuous auditing shows and includes data protection controls, the frequency for which we have actually gone in and evaluated the effectiveness of the control," Brown said. His team reports findings to a compliance committee that includes finance, engineering, people ops, and business operations leaders, not just security and IT. Governance is a business function, not a technical silo.
Howard emphasized this as a trust question. Organizations do business with partners based on demonstrated hygiene, compliance documentation, and mature controls. But trust also requires ongoing sovereignty.
You might trust someone today and share data with them, but you need the ability to change your mind tomorrow and revoke that access. Brown agreed, noting that data sovereignty becomes especially critical when working with international partners subject to locality restrictions.
Many (though not all) security leaders become roadblocks in the sales process. Brown has made himself an accelerant. He sits in on all sales calls. He maintains what he calls "speed dial" access with the chief revenue officer. He's built a questionnaire repository that allows same-day responses to security inquiries, turning what could be weeks-long security reviews into same-day approvals.
"I have to walk a delicate balance where I have to be ethical from the security compliance and the governance that have been built, but also help enable the business," Brown explained. When a security practitioner on a prospect call picks at a technical point, Brown can answer in their terms and build confidence. When there are gaps in the knowledge base, Brown works with the product team to fill them. The security program shapes itself around what drives business focus.
This level of involvement would have been unusual for a CISO ten years ago. Today, it's table stakes. Brown pointed to a trend of companies elevating chief operating officers to chief AI officer roles, recognizing that AI transformation requires operational integration across the business. The same logic applies to security. If AI is going to touch every function, security can't sit on the sidelines.
The industry is racing toward full automation. Brown is running in the opposite direction. He drew a parallel to network intrusion prevention systems that, when configured to automatically block traffic, ended up blocking legitimate business activities at tremendous cost.
"I want to be the one closing the ticket," Brown insisted. "How do I say reasonableness if I'm before a regulator or before the board or before a court if your technology made the decision?"
This isn't just about liability. At Andesite, the platform provides recommendations based on what SOC analysts are investigating. Analysts can thumbs up or thumbs down the suggestions. The system learns from each operator's decisions, becoming more effective without removing human agency. Brown calls this approach "human in the loop," and he draws a hard line between that and "human on the loop" or "human out of the loop."
The distinction matters because 75% of SOC analysts suffer from burnout, and every AI vendor promises to solve it with automation. Brown's argument is that full automation increases risk while augmentation reduces toil. "Use AI to do the toil-heavy stuff. Create the slide deck, format the document. Then use the big brain to solve big brain problems," he said.
Howard pushed on this: does the partnership between the business and the CISO grow stronger given the rise of AI? Brown's answer was unequivocal. It has to.
The demand for data has never been greater. Everyone in the organization now understands the need for guardrails because they've experienced AI hallucinations in their personal lives. The abstract concept of data governance has become tangibly real.
Brown's approach to AI governance follows the same business-aligned framework he applies everywhere else. He's implemented the NIST AI Risk Management Framework and ISO 42001, and Andesite was the third company globally to achieve Cloud Security Alliance's CSAI STAR Level 2 certification. But compliance isn't the point. The point is shared responsibility.
"I say often that obviously there's portions of the business risk I do own, but I don't own all of it," Brown explained. His job is to identify risk, explain it to other business owners in terms they understand, and give recommendations on how to minimize, reduce, or transfer it. Never ignore it. Andesite conducts penetration testing twice yearly with dedicated AI assessments. Brown has assembled cross-functional AI expertise to evaluate whether the company is implementing AI that actually enables the business or creates inefficiencies.
The traditional barriers between security and engineering have dissolved. Instead of appointing security champions to represent security interests in development teams, Brown's team partners with engineers to solve problems collaboratively. "When you do that, the angst goes away. People want to work with you. It is a much richer environment," he said.
Howard's final question got at the core thesis: does Brown agree that the unification and strength of the partnership between the business and security is likely to grow stronger given the rise of AI?
Brown's answer: it has to. The best organizations going forward will be the ones that partner effectively between IT, security, and lines of business. That includes the head of people ops bringing in tools that make employees efficient. It includes security operations partnering with engineering instead of issuing edicts. It means breaking down traditional barriers and treating security as a shared responsibility across the organization.
When Howard wrapped by asking what's cool about Andesite, Brown brought it back to the human question. SOC analysts want to accomplish something meaningful in a day instead of drowning in frustration. Andesite doesn't require lift-and-shift migrations. It integrates with existing tools and provides a unified place to access them and gain quick insights. And it keeps humans in the loop because reasonableness before regulators, boards, and courts requires human judgment.
The CISOs who win the next decade will be the ones who understand that AI is a tool for augmenting intelligence, not replacing it. They'll be the ones who build compliance regimes that enable business partnerships, not block them. And they'll be the ones who sit in on sales calls, report governance findings to cross-functional committees, and refuse to let their technology make the final call.
Watch the full Hash It Out conversation with Dave Brown to hear more about bootstrapping security programs in 90 days, building defensible compliance regimes for CUI and sensitive data, and the honest case for (and against) agentic AI in security operations.
Andesite.ai provides AI-powered security operations solutions designed for the reality of modern SOC teams. Unlike traditional tools that require expensive lift-and-shift migrations, Andesite.ai integrates with existing security infrastructure to provide unified insights and actionable intelligence. With a human-in-the-loop philosophy and compliance-first architecture, including FedRAMP High authorization, ISO 42001 certification, and CSA CSAI STAR Level 2 attestation (third globally to achieve this), Andesite.ai helps security teams accomplish more without burnout. Customer data remains resident in customer systems, ensuring sovereignty and control while enabling the efficiency gains that AI promises. For security operations teams seeking to work smarter without sacrificing control or judgment, Andesite.ai offers a partnership built on trust, compliance, and practical outcomes. Learn more at andesite.ai.