William MacMillan, former CISO at the CIA and former SVP for InfoSec at Salesforce, outlines the foundational work CISOs must lead to align AI adoption, zero trust, and insider risk with culture and long-term strategy.

At Security Edge, William will join 150 of Australia’s top CISOs and CSOs to share lessons from both national security and global tech as he unpacks the organisational and cultural structures that drive modern cyber resilience.

 

AI adoption must follow purpose, not pressure

William emphasised that AI should not be adopted to satisfy a vague mandate or trend. Organisations must start with clarity on what they want to achieve and use proofs of concept to test these goals.

He warned against treating AI as a standalone objective without first understanding the current maturity of security processes.

He advised CISOs to map out where their existing practices work and where they fail, stressing the need to define what success would look like before embedding AI into security environments.

Strong communication with leadership and employees is essential.

William noted that AI is creating significant anxiety across teams, and leaders must explain how new technologies align with broader mission and strategy.

He also encouraged organisations to define principles that guide technology adoption based on their unique context to avoid implementing tools that create more challenges than they solve.

 

Zero trust must be built from a strong operational base

William stressed that a zero trust roadmap must start with a clear understanding of the current environment.

This includes documenting systems and identifying visibility gaps.

Foundational controls like phishing-resistant multi-factor authentication must also be in place, as many organisations still lag in this area.

With a solid base, CISOs should define a phased zero trust vision.

William warned that full-scale rollouts can overwhelm teams, so starting in specific areas helps build confidence and capability before scaling.

He also clarified that zero trust and compliance are not in conflict.

When aligned, zero trust can strengthen compliance efforts.

While regulatory demands remain complex, embedding zero trust into compliance strategies can reduce the burden over time.

 

Security culture must be designed with intention

William noted that cyber environments are high stress and fast paced, which makes leadership more complex.

To manage this, he urged CISOs to structure their teams so not all functions are drawn into constant incident response.

Roles like hiring, training, and outreach should operate in calmer, strategic spaces where they can shape and reinforce culture.

He emphasised the need for culture to reflect lived values.

If transparency and accessibility are priorities, leadership must model those behaviours.

Too often, organisational structures contradict cultural goals.

William encouraged CISOs to intentionally align structure and leadership with the culture they want to build and sustain.

 

Insider risk must be addressed without undermining trust

William acknowledged that many organisations avoid insider threat programs out of concern for damaging workplace culture.

However, he emphasised that insider threats are real and common in large environments, despite psychological resistance to accepting the risk, particularly when it involves premeditated behaviour.

He argued that insider risk can be managed without undermining trust, provided the approach is intentional.

He advised forming an executive committee with legal, HR, and psychological expertise to guide the program and ensure it aligns with company values.

Rather than adopting tools based on technical capability alone, William urged CISOs to set clear principles that keep insider risk monitoring aligned with the organisation’s mission and culture.

 

Operations centres must improve decision-making

Drawing on his experience with the CIA’s Cyber Security Operations Centre, William explained that these centres exist to streamline decision-making across distributed, complex teams.

To succeed, organisations must first identify where decisions are breaking down and protect processes that already work.

He stressed the need to align stakeholders early, as shifting decision-making authority often creates tension.

Clear roles, responsibilities, and authority limits should be defined upfront, supported by regular exercises to ensure workflows remain effective.

 

CISOs should explore emerging tools that reduce fatigue

William expressed optimism about new security technologies that promise to address long-standing challenges like tool sprawl and alert fatigue.

He encouraged CISOs to start understanding these solutions now, even if they are still evolving.

Those who engage early will be better positioned to adopt and scale them effectively as they mature.

 

Key takeaways

  • Organisations must define clear objectives before adopting AI in security operations.
  • Visibility, documentation, and strong foundations are essential before implementing zero trust.
  • Zero trust and compliance strategies should work together to improve security maturity.
  • Cultural alignment and structure are critical to sustaining effective cyber teams.
  • Insider threat programs must be multidisciplinary and designed around organisational values.
  • Security operations centres must be built to support fast, coordinated decisions across silos.
  • CISOs should engage early with promising new technologies that address long-standing operational pain points.
Contributors
William MacMillan Former CISO of the CIA | Former SVP for Info Sec at Salesforce
William MacMillan is the Chief Product Officer at Andesite. Prior to this position, he was Senior Vice President for Information Security at... More

William MacMillan is the Chief Product Officer at Andesite. Prior to this position, he was Senior Vice President for Information Security at Salesforce.

Prior to his retirement from the federal government, William served as the Chief Information Security Officer (CISO) at the Central Intelligence Agency (CIA), where he led a sweeping transformation of the CIA’s cybersecurity strategy and organization.Prior to serving as CISO, William held multiple senior leadership positions at CIA dealing with various aspects of intelligence, counterintelligence, and cyber operations. During his career, he focused significant attention on insider threat, supply chain risk, and incident response issues, as well as the development of CIA’s Cybersecurity Operations Center (CSOC). Prior to joining CIA, William served as an officer and a pilot in the United States Air Force’s Combat Rescue and Special Operations communities.

William graduated from the United States Air Force Academy with a BS in Biology. He also holds an MA in International Relations from Salve Regina University and an MS in cybersecurity from George Mason University.William, his wife, and their three children reside in the Pacific Northwest.

Less
Justina Uy Content Strategist
Justina Uy is a data-driven content producer that thrives on democratising elite know-how to empower Australia’s underdogs. Skilled at translating complex ideas... More

Justina Uy is a data-driven content producer that thrives on democratising elite know-how to empower Australia’s underdogs.

Skilled at translating complex ideas into a compelling story across formats and channels, she shifts seamlessly between writing long-form articles, creating viral social media posts, and producing thumb-stopping videos.

Since 2015, Justina executes her vision through a sophisticated understanding of the rapidly evolving digital and business landscape to serve entertaining and educational insights to the executive community.

Less
security compliance transformation