Leading GenAI Security: What CISOs Need to Know
Gartner's 2025 insights reveal how SRM leaders can drive secure GenAI adoption. Discover how to bridge skills gaps, co-create security policies, and influence GenAI decisions without becoming blockers.
2025-04-20
'%3e%3cpath%20d='M4%204L15.733%2020H20L8.267%204H4Z'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3cpath%20d='M4%2020L10.768%2013.232M13.228%2010.772L20%204'%20stroke='%230671C0'%20stroke-width='2'%20stroke-linecap='round'%20stroke-linejoin='round'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_8149_16006'%3e%3crect%20width='24'%20height='24'%20fill='white'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M5.37214%2023.8745H0.396429V8.10162H5.37214V23.8745ZM2.88161%205.95006C1.29054%205.95006%200%204.65279%200%203.08658C1.13882e-08%202.33427%200.303597%201.61278%200.844003%201.08082C1.38441%200.548853%202.11736%200.25%202.88161%200.25C3.64586%200.25%204.3788%200.548853%204.91921%201.08082C5.45962%201.61278%205.76321%202.33427%205.76321%203.08658C5.76321%204.65279%204.47214%205.95006%202.88161%205.95006ZM23.9946%2023.8745H19.0296V16.1963C19.0296%2014.3665%2018.9921%2012.0198%2016.4427%2012.0198C13.8557%2012.0198%2013.4593%2014.0079%2013.4593%2016.0645V23.8745H8.48893V8.10162H13.2611V10.2532H13.3307C13.995%209.01393%2015.6177%207.70611%2018.0386%207.70611C23.0743%207.70611%2024%2010.9704%2024%2015.2102V23.8745H23.9946Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24588'%3e%3crect%20width='24'%20height='27'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
'%3e%3cpath%20d='M13.957%2014.75L14.668%2010.0848H10.2225V7.05745C10.2225%205.78115%2010.8435%204.53707%2012.8345%204.53707H14.8555V0.565174C14.8555%200.565174%2013.0215%200.25%2011.268%200.25C7.60703%200.25%205.21403%202.48441%205.21403%206.52931V10.0848H1.14453V14.75H5.21403V26.0278H10.2225V14.75H13.957Z'%20fill='%230671C0'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='clip0_3867_24590'%3e%3crect%20width='16'%20height='25.7778'%20fill='%234A4D53'%20transform='translate(0%200.25)'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e)
Generative AI is no longer a future concept—it’s already being deployed across most organizations, with leading use cases in data analysis, personalized chat experiences, and research, according to Gartner’s 2025 findings. As business units embrace this shift, security teams are racing to keep pace.
More than 40% of Security and Risk Management (SRM) leaders are already using GenAI within their cybersecurity functions, applying it to tasks like threat detection and incident response. However, this adoption isn’t without friction—over 40% also admit to critical skills gaps that limit their ability to support GenAI innovation securely.
In this blog, we’ll explore how CISOs can take a leadership role in closing those gaps, shaping GenAI policy, and building the right foundation for safe and strategic AI integration.
Why GenAI Needs Cybersecurity Leadership
As Generative AI spreads across organizations, it brings new security risks that many businesses aren’t prepared for. According to Gartner's recent research, most cybersecurity teams do not have full control over how GenAI tools are selected, used, or managed. This creates a dangerous gap.
When security leaders aren’t involved early, GenAI tools can be misused, leading to data leaks, unauthorized access, or unreliable outputs. Despite these risks, cybersecurity is often seen as a support function, not a decision-maker.
This is where CISOs must step in and lead. By taking an active role in GenAI projects, they can define safe usage, create clear policies, and ensure that security is part of every decision—not an afterthought.
To dive deeper into the specific risks GenAI introduces, check out the Keepnet article on generative AI security risks.
How GenAI Is Already Reshaping Cybersecurity
GenAI is not just a business tool—it’s reshaping how cybersecurity operates. As organizations deploy GenAI for data analysis, chat-based support, and research, cybersecurity teams are being pulled into the fold to manage its risks and secure its use.
In response, security teams are beginning to adopt GenAI themselves for tasks like detecting threats faster, summarizing incidents, and supporting investigations. But this transformation isn’t happening in isolation. More than half of cybersecurity leaders now work with data, privacy, and compliance teams on GenAI-related issues.
This cross-functional shift is changing the CISO’s role. Instead of owning every part of GenAI oversight, security leaders must focus on enabling secure adoption—setting guardrails, defining standards, and partnering with other functions to manage shared risks.
How SRM Leaders Have Influence on GenAI’s Development and Deployment
Security and risk management (SRM) leaders are increasingly involved in shaping the development and deployment of generative AI (GenAI) technologies within their organizations. More than 70% of SRM leaders indicate that the cybersecurity function has at least some level of influence over GenAI-related decisions.
This demonstrates a growing recognition of the importance of cybersecurity in guiding safe and responsible AI adoption.
However, this influence often falls short of full decision-making authority. In most cases, cybersecurity’s input is considered but does not serve as a gatekeeper for final approvals. Only 24% of cybersecurity teams report having the definitive authority to approve or reject the use of GenAI tools based on security or risk concerns.
Similarly, just 26% of cybersecurity leaders have the final say in determining which GenAI tools or use cases can be piloted or tested within their organizations.
These findings highlight a significant gap between influence and control. While SRM leaders are increasingly part of the conversation around GenAI implementation, their ability to enforce security-driven decisions remains limited in many enterprises.
Bridging this gap will be essential to ensuring that GenAI technologies are adopted in a secure, compliant, and strategically aligned manner.
Building the Right Policies – Why Collaboration Is Critical
As GenAI adoption grows, security policies can’t be built in isolation. According to Gartner, co-creating GenAI-related policies with other business functions, like data, privacy, and compliance, significantly improves the chances of secure and timely adoption.
When policies are developed with input from key stakeholders, they’re more practical, better understood, and easier to enforce. This collaborative approach also helps ensure that security teams are seen as partners, not roadblocks.
CISOs should lead the development of GenAI policies, but they must also bring in voices from across the organization. This involves aligning security standards with operational realities and making policies accessible and usable for end users.
To strengthen alignment with business leaders and improve communication, explore Top 5 Reasons CISOs Fail to Engage Executives and Boards — And How to Fix Them.
Addressing the GenAI Cybersecurity Skills Gap
As GenAI becomes more embedded in cybersecurity operations, many teams are struggling to keep up. The tools and thinking required to secure AI systems are different from those used in traditional environments, and many organizations aren’t prepared.
According to the World Economic Forum’s Global Cybersecurity Outlook 2025, the cyber skills gap is getting worse. Since 2024, it has grown by 8%, and now two out of three organizations say they don’t have enough skilled people to meet their security needs. Only 14% feel confident they have the right skills in place today.
This shortage is especially concerning for CISOs managing GenAI adoption. Traditional hiring methods and certifications don’t always reflect what’s needed for AI-driven environments. Instead, CISOs should look for adaptability, critical thinking, and logical reasoning—skills that support fast learning and decision-making in unfamiliar scenarios.
To close this gap, hands-on learning and targeted practice are essential. Keepnet’s AI-powered Phishing Simulator helps teams build these skills by exposing users to realistic GenAI-based phishing tactics, helping them recognize and respond to evolving social engineering threats driven by AI.
Aligning with Board and CIO Concerns on GenAI
Boards and CIOs both see the value of GenAI, but they worry about different risks. Boards are mainly concerned with security threats and data privacy, while CIOs focus on issues like AI errors, misinformation, and intellectual property risks, according to Gartner.
For CISOs, this means one message doesn’t fit all. To get support, security leaders need to speak the language of each audience. Boards want to know how GenAI will be kept secure. CIOs want to understand how risks like biased outputs or hallucinated results will be managed.
By addressing these concerns clearly and separately, CISOs can build stronger trust and influence at the executive level.
SRM Leaders Must Shift from Advisors to Decision Makers
Security and Risk Management (SRM) leaders are increasingly involved in GenAI discussions, but they rarely control the final decisions. According to Gartner, while over 70% of cybersecurity teams influence GenAI-related choices, only 24% have the final say on what is considered acceptable GenAI use. Just 26% can approve or block GenAI tools for pilot testing.
This gap puts organizations at risk. When cybersecurity input is limited to advice, GenAI tools may be adopted without proper controls, opening the door to security threats, data exposure, and compliance issues.
CISOs need to shift from reactive advisors to active decision-makers. To do that, they should:
- Set clear policies on GenAI usage
- Lead response plans for AI-related incidents
- Help evaluate and approve GenAI vendors
Practical Tools to Accelerate Secure GenAI Adoption
As GenAI becomes part of daily business operations, security leaders need tools that can both enable adoption and manage the risks. Gartner emphasizes that cybersecurity should not block innovation, but instead support it with clear guidance, oversight, and training.
To do this effectively, CISOs must equip their teams with tools that raise awareness, test real-world behavior, and enforce security standards across departments. This includes:
- Simulating GenAI-related threats, such as AI-generated phishing, smishing, or quishing attacks
- Tracking risky user behavior in response to these threats
- Benchmarking human risk levels across teams to focus resources where needed
Keepnet’s Human Risk Management Platform, along with tools like the Phishing Simulator, Smishing Simulator, and Quishing Simulator, empowers security teams to do exactly that. These tools help organizations test employee readiness, train them against GenAI-enabled attacks, and reduce human error—the leading cause of breaches.
A CISO’s Role in Leading Safe GenAI Adoption
As GenAI becomes part of core business operations, CISOs must shift from gatekeepers to enablers of secure, responsible adoption. Gartner highlights that SRM leaders can no longer be passive participants—they must take a leading role in shaping GenAI strategy.
To lead effectively, CISOs should:
- Engage early in GenAI planning and tool selection
- Collaborate with legal, privacy, and data teams on policy development
- Address internal skills gaps through targeted upskilling
- Use tools that simulate GenAI threats and measure human risk
Keepnet’s Extended Human Risk Management Platform supports this leadership role. With AI-driven phishing simulations, adaptive security training, and automated phishing response, it enables CISOs to reduce employee-driven threats, insider risks, and AI-enabled social engineering—turning people into a proactive layer of defense.
By taking the lead and equipping their teams with the right tools, CISOs can ensure GenAI adoption is both fast and secure.
SHARE ON