How CISOs are moving beyond blocking threats to protecting revenue in the battle against 'Shadow IT'

Shadow AI is quickly becoming one of the most insidious cybersecurity threats in modern enterprises. Today, employees can spin up tools and plug them into sensitive data with little oversight, creating risks far greater than the Shadow IT of years past. Yet most companies remain unprepared. A recent report found that 63% of organizations lack AI governance policies—leaving leadership blind as their attack surface grows at an alarming pace. The CISOs who succeed will reimagine security as a reactive gatekeeper to a proactive, embedded function that operates, as one expert put it, "at the speed of code."

We spoke with Ross Young, CISO in Residence at Team8 and former CISO of Caterpillar's financial services division. Young has spent two decades pushing the boundaries of cybersecurity leadership as an officer at the CIA, and said the only viable solution now is shifting control to the point of creation, bringing development back in-house, and embedding security directly into the coding pipeline.

• A shift back to in-house: "Development needs to come back in-house. It’s much easier to control things that are built by the company," Young said. "Once developers are creating software internally, you have to make it easier to do the right thing than the wrong thing." It’s about building a secure-by-default environment, not just blocking tools. "All software has to be uploaded to one GitHub repository; we’re not going to have 20 different places. From there, every upload requires both a security scan and a compliance scan."

• Catching risks too late: "Trying to fix everything in production is too late. The real progress comes when security is built into AI itself, enforcing rules at the same pace as AI development. That’s when we actually start to move the needle," Young said. Instead of chasing vulnerabilities after deployment, he calls for embedding guardrails directly into the development pipeline. By shifting left and letting AI enforce policy automatically, security becomes scalable, consistent, and agile enough to keep up with modern development cycles.

Old metrics have lost their power in the boardroom, said Young. In the age of AI, CISOs must adopt a new language of risk and value, and one that speaks directly to revenue, resilience, and growth.

• The new CISO mandate: "The CISOs who win won’t be the ones with the most blocked threats. They'll be the ones who can show you exactly how security investments protect revenue, enable innovation, and keep AI from becoming its own worst enemy," Young stated. This requires moving away from vanity metrics and toward a narrative of business enablement.

For years, CISOs could enter the boardroom, declare that they had blocked three million threats, and receive applause for a job well done. Today, as board oversight intensifies, that same metric would be met with skepticism. The new mandate is to connect security activity to business outcomes. Young’s framework for this new conversation is built on telling a story of progress through trend and target data.

• From static numbers to a story of progress: "I need to see the trend month over month," Young explained. "There’s usually a target goal or SLA, and we benchmark each month to see whether we’re moving closer to or further from that goal." Layered across tactical, midterm, and long-term horizons this type of approach can give leadership a complete picture of the security program's health and trajectory.

• Speaking the language of revenue: The most powerful stories reframe security from a cost center to a revenue protector. "Are we willing to risk $30 million in revenue to save $300k? Framing it as a penny on every dollar makes it clear how security protects revenue, and that’s the best way to link cybersecurity with the business."

A new boardroom narrative like Young's is essential as the risks of AI become more abstract and challenging to control. The rise of "vibe coding", where non-developers rapidly build applications, has supercharged the threat of Shadow AI. In this new era, even a well-intentioned employee could inadvertently expose the company’s entire customer database with just a few clicks, bypassing every compliance and security control in the process.

• The downside of vibe coding: "Imagine someone on the marketing team starts vibe coding tomorrow. They’re unlikely to build a secure site, and it won’t comply with privacy laws like CCPA or GDPR—let alone Sarbanes-Oxley or the EU AI Act," Young said. Today’s complex IT environments magnify the problem. "Anyone who claims to classify every piece of data in their company and track it across all systems and endpoints is probably lying—or they’re running a one-person company."

• The SaaS blind spot: The hope of tracing data flows to contain the risk is "pixie dust," in Young's opinion. The proliferation of SaaS tools, especially large CRM platforms with countless integrations, has made true visibility nearly impossible. With recent attacks highlighting vulnerabilities in popular CMS and CRM tools, his assessment is stark. "If you’re trying to secure a large CRM platform, you need a dedicated solution—something most security teams haven’t budgeted for or even considered. We’re essentially flying blind on CRM security, and most companies are failing at it today."

The goal is a security function that uses AI as an accelerator to enforce governance at a scale that matches the explosive pace of development. For CISOs navigating this new reality, the message is clear: the path to resilience is paved with a new architecture of control built for the speed of code.