The CISO’s AppSec Dilemma: What Matters Most in the Age of AI

The CISO’s AppSec Dilemma 
What Matters Most in the Age of AI 

In this CyberOXtales Podcast panel, OX Security Field CTO Chris Lindsey moderates a discussion with four security leaders on the application-security questions every CISO is wrestling with in the age of AI. Across three topics, where to focus in AppSec, the biggest pitfalls to avoid, and how to balance security with speed, the panel keeps returning to a single theme: security succeeds through process, partnership, and relationships far more than through any tool. The conversation also tackles how autonomous AI agents and “vibe coding” amplify both good and bad engineering practices, and closes with practical tactics for winning developer buy-in.

Key Takeaways

  • Hold software vendors accountable and get beyond check-the-box. Ask how a company actually views software development, its people, process, and technology, not just whether it can produce an SBOM.
  • Process beats tools, the #1 AppSec mistake is over-rotating on tooling. A great tool can’t fix a broken process. People rally around process and partnership; they don’t rally around tools.
  • Partner, don’t police, aim for “zero escaped critical and high.” Security is a mentality shift for CISOs, not for engineering. Sit in the room from the start and help engineers avoid critical/high findings, without anyone coming to complain.
  • AI is “the great amplifier.” Vibe coding and AI AppSec tools make a good process much better and a bad process much worse, a 3-5K-line app can balloon to 80K lines, exploding the threat model.
  • Friction, reframed as “safety”, is a good thing. Like speed bumps near a school, the right friction is a reminder to slow down and be safe; keep security visible rather than invisible.
  • Don’t be transactional; build relationships before you need them. Introduce yourself, ask how you can help, walk the floor. Goodwill banked early is what gets honest answers when something goes wrong.

Video Transcript

Speakers

OX Security blog author avatar thumbnail displayed in the byline of supply chain and dependency-risk articles

Chris Lindsey

View on LinkedIn

Field CTO, OX Security (host/moderator)

Field CTO at OX Security and the session’s moderator, with 35 years in software development and AppSec leadership.

Pieter VanIperen CISO AlphaSense

Pieter VanIperen

View on LinkedIn

CISO, AlphaSense

CISO at AlphaSense who authored and teaches the “Secure Coding for Coders” course.

Joye Purser CISO Cohesity

Joye Purser

View on LinkedIn

CISO, Cohesity

Field CISO at Cohesity with 18 years of US federal government security experience.

Heather Hinton CISO Sitecore

Heather Hinton

View on LinkedIn

CISO, Sitecore

CISO at Sitecore and a four-time CISO with a technical, architecture-focused background.

Doug Kersten CISO AppFire

Doug Kersten

View on LinkedIn

CISO, Appfire

CISO at Appfire with a background spanning banking, financial services, and law.

Adrian Guevara CISO WillowTree

Adrian Guevara

View on LinkedIn

CISO, WillowTree (a TELUS Digital company)

CISO at WillowTree (a TELUS Digital company), listed on the official panel lineup.

FAQ

Hold the software organization accountable for code quality and security, and get beyond a check-the-box culture. Understand how the company actually develops software, its people, process, and technology, and bake security in by design with trained teams that scrutinize code, rather than treating an SBOM checkbox as the goal.

Get in early at the design stage, where modern AppSec tooling can’t help on its own, credential vaulting, secrets handling, designing against fraud and abuse. Pair light-touch enforcement with a learning loop (“if this had been done earlier, we wouldn’t be here”) and frame issues in terms of resiliency and maintainability so engineers take ownership.

You’re chasing developers, nagging, and burning political capital; no one takes ownership when something breaks; and you lack metrics. The hardest case isn’t the obviously broken program, it’s the one everyone believes works but doesn’t. Customers and repeat pentest findings will eventually expose it, so become data-driven and “trust and verify.”

Focusing on tools instead of process. The greatest tool does nothing if no one uses it or there’s no process around it. New CISOs especially over-rotate on tooling; people rally around process and partnership, not tools.

They are tools, and AI is “the great amplifier.” With a strong process, AI makes you better; with a broken process, it makes the mess far worse. Code volume can explode (a 3-5K-line app becoming 80K lines), dramatically enlarging the threat model, so process, training, and security become more important, not less.

Don’t try to make security fully “invisible”, keep it visible and make developers part of it, or they never become aware or invested. Reframe friction as “safety” (speed bumps near a school) and manage the relationship: be on the same team, be diplomatic, and avoid an adversarial posture.

Start small. Land one easy win (e.g., separating credentials from code) and build on it a brick at a time until teams own security themselves. Alternatively, target the tech debt developers already hate and offer security as the lever to fix it. Above all, listen first, half the time that’s what gets people on board.