AI is starting to change how the SOC operates, but the harder question is where autonomy should stop.

In this Security Edge session, William MacMillan, Chief Product Officer of Andesite and former CISO at the CIA and former SVP of InfoSec at Salesforce, examined how security leaders are weighing speed, risk, and oversight as AI moves from experimentation into operational use.

His view was that AI can reduce workload and improve response speed, but high consequence decisions still need human control.

Key takeaways:

  • AI is creating the most near term value in the SOC by accelerating analyst workflows and reducing manual effort, not by replacing human decision making.
  • Human oversight still matters most in high consequence decisions, even as AI takes on more observation, triage, and context building work.
  • Data discipline, cross functional collaboration, and strong fundamentals remain the conditions for safe and useful AI adoption in security operations.

 

Calm leadership matters most when pressure spikes

William framed security leadership through moments of pressure, where speed matters but poor communication can make incidents worse.

He reflected on stepping into the CIA CISO role as the SolarWinds breach unfolded, drawing on earlier experiences in war zone conditions and major cyber incidents.

Those environments reinforced the value of composure, early stakeholder engagement, and clear communication across technical and non technical groups.

His point was that strong leadership in cyber incidents depends on judgment under pressure.

Teams move faster when leaders create room for input, keep people aligned, and translate complexity into decisions the wider organisation can act on.

 

AI in the SOC is moving into live use, but autonomy still has limits

William argued that the market had moved past passive interest.

Organisations were no longer only exploring AI for security operations.

They were making platform choices, running proofs of value, and starting deployment decisions. Even so, adoption remained cautious.

The shift underway was practical rather than reckless.

He also pushed back on the idea of a fully autonomous SOC.

AI can already improve speed and reduce analyst burden, especially in observation and orientation work such as data processing, context building, and triage.

But decision and action stages still carry too much risk to hand over fully.

His model kept humans firmly in control, with AI supporting the work rather than replacing security judgment.

The near term gains are in speed, efficiency, and analyst leverage

William saw the strongest immediate value in using AI to compress time and remove repetitive effort.

He pointed to data correlation, threat triage, and workflow support as areas where security teams could get measurable gains without introducing unnecessary exposure.

In that model, AI helps analysts work faster and at greater scale, rather than reducing headcount or stripping away expertise.

He argued that organisations should keep their people in play and use AI to raise the output of the team already on the field.

The case for AI in the SOC was therefore less about autonomy for its own sake and more about practical uplift in speed and capability.

Data quality and collaboration will decide how far AI can go

William also made clear that AI outcomes in security depend heavily on data discipline and cross functional alignment.

Poor data quality and organizational silos weaken both cyber performance and AI usefulness.

He described cyber security as fundamentally a data problem, which made collaboration between CISOs and Chief Data Officers increasingly important.

He also pointed to AI’s role in identifying redundant data and improving efficiency, but the broader message was structural.

AI in the SOC will only scale well when the underlying data environment is reliable enough to support it and when security leaders are working closely with the rest of the digital leadership team.

 

New threats require urgency, but not panic

William closed on the pace of emerging risk, including AI driven vulnerability discovery and quantum related threats such as harvest now, decrypt later.

He treated both as serious, but rejected panic as a useful response. Leaders still needed to focus on fundamentals, especially identity, visibility, and control, while starting with the data and systems that mattered most.

That approach kept the conversation grounded. New risks were accelerating, but resilience still depended on disciplined execution rather than hype driven reactions.

Contributors
William MacMillan Former CISO of the CIA | Former SVP for Info Sec at Salesforce
William MacMillan is the Chief Product Officer at Andesite. Prior to this position, he was Senior Vice President for Information Security at... More

William MacMillan is the Chief Product Officer at Andesite. Prior to this position, he was Senior Vice President for Information Security at Salesforce.

Prior to his retirement from the federal government, William served as the Chief Information Security Officer (CISO) at the Central Intelligence Agency (CIA), where he led a sweeping transformation of the CIA’s cybersecurity strategy and organization.Prior to serving as CISO, William held multiple senior leadership positions at CIA dealing with various aspects of intelligence, counterintelligence, and cyber operations. During his career, he focused significant attention on insider threat, supply chain risk, and incident response issues, as well as the development of CIA’s Cybersecurity Operations Center (CSOC). Prior to joining CIA, William served as an officer and a pilot in the United States Air Force’s Combat Rescue and Special Operations communities.

William graduated from the United States Air Force Academy with a BS in Biology. He also holds an MA in International Relations from Salve Regina University and an MS in cybersecurity from George Mason University.William, his wife, and their three children reside in the Pacific Northwest.

Less
Matt Boon Senior Research Director at ADAPT
Matt Boon is the Senior Director for Strategic Research at ADAPT, responsible for directing and developing research content and positions. For over... More

Matt Boon is the Senior Director for Strategic Research at ADAPT, responsible for directing and developing research content and positions.

For over 30 years, Matt has worked in research and advisory, including senior leadership roles at Gartner as Principal Analyst, Research Director, and Managing Vice President, where his 18 year history included working with Dell, Microsoft, and many others.

Throughout his career, Matt has been a sought after and highly respected authority on the local and global IT landscape.​ He interacts with executives daily, bringing together groups of C-suite leaders to discuss and prepare for the challenges and opportunities they face.​

At ADAPT, Matt hosts numerous industry-leading business and technology events which Matt chairs, including the yearly Security Edge conference, delivering unique market trends and white-papers, advising executives across the technology provider landscape to make informed IT decisions.​

When he is not working, Matt enjoys walking the many trails of the NSW Southern Highlands, travelling and listening to music. He is also partial to a good steak and nice glass of red wine.

Less
data security leadership