Kitecast

Bryan Cassady: AI Requires Humans and Guardrails

Host Patrick Spencer sat down with Bryan Cassady—director of the Global Entrepreneurship Alliance, eight-time founder, author of Cycles and The Generative Organization, and creator of the AI for Innovation Toolkit—to unpack why eight out of ten organizations still aren’t getting real business results from artificial intelligence [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-enterprise-risks/]. Cassady, who is on a public mission to train one million entrepreneurs on AI by 2027, argues that most companies are chasing “bright shiny” AI tools without a strategy, a change-management plan, or a clear understanding of why they’re adopting AI in the first place. The conversation is essential listening for CISOs, CIOs, CEOs, and business leaders trying to move beyond AI pilots and prove measurable ROI on their AI investments while keeping the right human oversight and security guardrails in place. A core theme of the discussion is what Cassady calls “the 1% problem”—the staggering gap between intention and action that means most book buyers, training attendees, and AI tool adopters never actually apply what they learn. His counterintuitive fix, which he has used to grow his own readership, is to give content away and bundle it with AI tools that close the gap between knowing and doing. He extends the same logic to enterprise AI adoption: stop using AI like a search engine and start using it like a thinking partner, or as he puts it, a “muse.” Cassady walks Spencer through his proven 90-day AI adoption framework—10 minutes a day for ten days to shift mindset, a focused business sprint around day fifteen, and a 75-day execution plan tied to two clear priorities rather than 10—and explains why effectiveness, not usage or efficiency, is the only AI metric that matters. Cassady and Spencer also dig into the future of agentic AI [https://www.kiteworks.com/cybersecurity-risk-management/ai-agent-security-data-layer-governance/], the disruption of the SaaS market, the rise of modular software, and Jevons paradox—the 1860s economic principle that explains why making thinking cheaper with AI will likely increase demand for skilled thinkers rather than eliminate jobs. Cassady is direct about the layoff narrative dominating AI headlines, calling mass workforce reductions a “smoke screen” in many cases, and offers concrete criteria business leaders can use to decide which teams are ready to adopt AI: Can you describe what you want to do? Are you ready to learn as you go? And—counterintuitively—are you prepared to increase headcount, since AI often generates more work, not less. He also explains why “AI-first” companies are getting it backwards, and why chess matches still prove that AI plus a human consistently beats AI or humans alone -- the clearest argument yet that durable AI value requires humans in the loop [https://www.kiteworks.com/cybersecurity-risk-management/ai-governance-sensitive-data-guide/]. The conversation closes with a candid look at AI cybersecurity, data privacy, and risk management—the guardrails side of the title and the topics Kiteworks audiences care about most. Cassady and Spencer discuss why security teams are too often brought into AI projects as an afterthought rather than at the strategy stage, the very real risks of AI-generated passwords, prompt injection through hidden text, and the data-leak exposure created when employees feed strategic plans and PII into public large language models [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-security-crisis-shadow-ai-governance-strategies-2026/]. Patrick highlights the growing importance of data security posture management (DSPM) [https://www.kiteworks.com/risk-compliance-glossary/data-security-posture-management/] and AI governance [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-governance-guide/] as private content channels multiply, while Cassady reminds leaders that the right answer is not to ban AI but to integrate security thinking into AI strategy from day one [https://www.kiteworks.com/platform/simple/ai-data-gateway/]. Listeners will leave with a practical playbook for aligning AI initiatives with business goals and a sharper view of where agentic AI is headed. LinkedIn Profile: https://www.linkedin.com/in/bryancassady/ [https://www.linkedin.com/in/bryancassady/] Books The Generative Organization: AI Playbook for Exponential Leaders: https://www.amazon.com/dp/B0FJG7BRG2 [https://www.amazon.com/dp/B0FJG7BRG2] CYCLES: Innovate 6X faster, Reduce Risks by 50%: https://www.amazon.com/CYCLES-simplest-proven-innovate-reducing-ebook/dp/B09L1J7MYL [https://www.amazon.com/CYCLES-simplest-proven-innovate-reducing-ebook/dp/B09L1J7MYL] Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Dr. Rick Goud: 1 in 3 Firms Hit with Data Sovereignty Incidents

In this Kitecast episode, Patrick Spencer sits down with Rick Goud, Kiteworks' Field CTO and a recognized European data sovereignty expert, to unpack findings from the Kiteworks Data Security and Compliance Risk: 2026 Data Sovereignty Report [https://www.kiteworks.com/sites/default/files/resources/kiteworks-report-2026-data-sovereignty-compliance-incidents.pdf]. The central paradox jumps off the page: Roughly 80% of the 286 professionals surveyed across Canada, the Middle East, and Europe feel well informed about sovereignty requirements, yet one in three experienced a sovereignty-related incident in the past 12 months. Rick pushes back on the "well informed" number, arguing that most stakeholders rely on a narrow definition — equating sovereignty with data residency or local vendor logos. The real question, he says, is not where your data lives but who holds the keys to it. The regional picture tells three different stories. The Middle East reports a 44% incident rate — nearly double Canada's 23% — despite moving fastest on sovereignty ambitions, as detailed in the Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in the Middle East [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-middle-east-data-sovereignty-2026-compliance-risk.pdf]. Rick attributes this to maturity pressure: The pivot away from well-stress-tested hyperscalers toward younger local alternatives introduces security gaps that hyperscaler transparency reports historically do not show. Europe, covered in depth in the Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in Europe [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-eu-data-sovereignty-2026-compliance-risk.pdf], is pursuing a pragmatic "glocal" model — only 4% plan to go fully local — layering sovereignty controls like customer-held encryption keys on top of Microsoft 365 and Azure rather than attempting a wholesale exit. The Kiteworks 2026 Data Security and Compliance Risk: Data Sovereignty in Canada [https://www.kiteworks.com/sites/default/files/resources/kiteworks-executive-summary-canada-data-sovereignty-2026-compliance-risk.pdf] shows a similar pattern, with 40% citing Canada-U.S. data-sharing shifts as their top concern, pushing organizations to rethink key custody rather than abandon U.S. providers entirely. AI governance emerges as the unresolved frontier. Rick is blunt: He has not yet seen a company that has solved governed AI data sharing at scale. Organizations are caught between blanket ChatGPT and Claude bans [https://www.kiteworks.com/platform/compliance/compliant-ai/] that sacrifice productivity, and open access that sacrifices compliance. His prediction — agentic AI will roughly double the digital workforce within two years — makes a centralized policy decision point [https://www.kiteworks.com/secure-managed-file-transfer/private-data-network/] non-negotiable. Rick's two-takeaway close is crisp: Adopt an internal sovereignty framework so stakeholders stop talking past each other with different definitions and never accept a vendor's sovereignty claim on faith — validate it against your framework. He also warns against vendor lock-in, because the winners of 2026 will not be the winners 12 months later. Listen to the full episode on the Kitecast podcast page [https://www.kiteworks.com/kitecast/] for the complete conversation. Rick Goud’s LinkedIn Profile: https://www.linkedin.com/in/rickgoud/ [https://www.linkedin.com/in/rickgoud/]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Aaron McCray: Ferrari Security: Speed With Guardrails

Can you drive a Ferrari at 150 miles per hour without its enhanced safety package? Sure. Should you? That's the question Aaron McCray, Field CISO at CDW and retired U.S. Navy Commander with 27+ years in information warfare, poses to every CISO still white knuckling their way through 2026 with a 2021 playbook. In this episode of Kitecast, host Patrick Spencer and McCray dig into why the old way of doing security isn't just outdated—it's dangerous. McCray traces the CISO's evolution from post-COVID belt-tightener—the person whose job was to consolidate tools, justify every dollar, and basically serve as the "office of no"—to something far more consequential. Today's CISO needs to be a strategic risk executive who speaks the language of CFOs, not just firewalls. That means understanding EBITDA, financial risk quantification, and how a $350,000 investment in multi-factor authentication can translate into $35 million in reduced risk exposure. If you can't make that pitch, McCray argues, you're getting left behind. The conversation takes a sharp turn into the AI landscape [https://www.kiteworks.com/platform/simple/ai-data-gateway/], and McCray doesn't hold back. He's seen PCs, the internet, and mobile technology reshape the world over his career, but nothing compares to what AI is doing right now. "I don't mean that to sound like hyperbole," he says. "I really don't." The speed, the capability, the risk—it's all unprecedented. And while organizations scramble to harness AI's potential, many are sleepwalking past the dangers. Shadow AI [https://www.kiteworks.com/cybersecurity-risk-management/ibm-2025-data-breach-report-ai-risks/]is McCray's particular concern. He describes employees accessing public AI tools through browsers, unknowingly opening backdoors that exfiltrate proprietary data and invite threats back in. That leads to what might be the podcast's most important thread: ethics. McCray pulls no punches with real-world examples. One global organization trained AI to screen resumes and ended up systematically discriminating against qualified women. Another rushed self-driving technology to deployment before it was ready, resulting in a pedestrian's death. His message is blunt—just because you can doesn't mean you should. And without humans in the loop, governance frameworks, and genuine ethical guardrails, AI will optimize for whatever you point it at without ever asking whether it should. McCray also makes a compelling case for data security posture management [https://www.kiteworks.com/cybersecurity-risk-management/dspm-vs-traditional-data-security/], arguing that data isn't just a cybersecurity problem—it's a business problem. His parting advice for CISOs? Stop leading with fear, uncertainty, and doubt. Stop blocking innovation. Start enabling the business to move fast—but safely. He compares it to buying a Ferrari that you can drive it stock, or you can invest in the enhanced safety package. When you're doing 150 down a two-lane road, you'll want those features. LinkedIn: https://www.linkedin.com/in/awmccray/ [https://www.linkedin.com/in/awmccray/]  Website: https://www.cdw.com/ [https://www.cdw.com/]  Recommended Reading: Walt Powell, The CISO 3.0: A Guide to Next-Generation Cybersecurity Leadership [https://www.amazon.com/CISO-3-0-Next-Generation-Cybersecurity-Leadership/dp/1032840072/ref=sr_1_1?]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Justin Greis: AI Meets Cybersecurity

Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey's cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation. Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren't in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly. Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards. Greis emphasizes that compliance certifications like SOC 2 [https://www.kiteworks.com/platform/compliance/soc-2-compliance/] or ISO [https://www.kiteworks.com/platform/compliance/iso-compliance/] represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards. The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer. The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details. As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data [https://www.kiteworks.com/cybersecurity-risk-management/ai-data-privacy-risks-stanford-index-report-2025/] it shouldn't process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries. Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows. LinkedIn: https://www.linkedin.com/in/justingreis/ [https://www.linkedin.com/in/justingreis/] Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.

Kevin Powers: From Academic to Practical Cybersecurity

Kevin Powers, Faculty Director of the Masters of Legal Studies in Cybersecurity Risk and Governance at Boston College Law School, began his professional and academic journey when he volunteered for a task force exploring cybersecurity education at Boston College. Rather than developing a purely technical curriculum, he advocated for an interdisciplinary approach that would integrate law, business, and risk management. "Cybersecurity is not just a technical issue," Powers explained during the podcast episode. Working with stakeholders from the White House, FBI, major financial institutions, and technology companies, the team built a curriculum designed to produce well-rounded cybersecurity professionals. The program launched in 2015 and recently transitioned to BC Law School, offering 10 courses taught entirely by practitioners actively working in the field. Students include FBI agents, financial compliance officers, and executives from Fortune 50 companies, with an average age of 33. A central theme of Powers' program is bridging the communication divide between technical teams and business leadership. With recent SEC regulations and requirements like New York's DFS Part 500 mandating board-level cybersecurity oversight, organizations need professionals who understand both technical controls and business implications. "Boards are recognizing cybersecurity as a core business function," Powers noted, emphasizing that every company operating on networks faces operational risk when systems go down. The program prepares students to communicate cyber risk in business terms and develop governance frameworks aligned with regulatory requirements like CMMC 2.0 [https://www.kiteworks.com/platform/compliance/cmmc-compliance/], FedRAMP [https://www.kiteworks.com/platform/compliance/fedramp-authorization/], and the NIST Cybersecurity Framework. The program has evolved rapidly to address artificial intelligence governance. Powers redesigned his coursework after discovering AI tools could complete assignments in minutes, shifting 70% of grading to oral presentations that emphasize critical thinking over output. Looking ahead, Powers identified cloud security and data sovereignty as critical concerns. Many organizations mistakenly believe SaaS platforms automatically back up their data, leaving them vulnerable during incidents. The CDK Global attack on car dealerships illustrated how unprepared businesses can be when cloud services fail. Beyond academics, Powers emphasizes creating networks. Graduates maintain connections with government agencies, financial institutions, and technology companies, facilitating collaboration across sectors. The program hosts the annual Boston Conference on Cybersecurity [https://www.bc.edu/bc-web/schools/law/sites/boston-conference-on-cyber-security.html], which draws hundreds of attendees including CISOs from major sports franchises and law enforcement leaders. For organizations navigating increasingly complex regulatory landscapes, Powers' message is clear: cybersecurity expertise must extend beyond technical skills to encompass governance, compliance, and strategic business alignment. As cyber threats evolve, professionals need frameworks like NIST to demonstrate reasonable security practices to regulators while protecting operational continuity. LinkedIn: https://www.linkedin.com/in/kevin-powers-54893a8/ [https://www.linkedin.com/in/kevin-powers-54893a8/]  Boston College School of Law: https://www.bc.edu/bc-web/schools/law.html [https://www.bc.edu/bc-web/schools/law.html]  Check out video versions of Kitecast episodes at https://www.kiteworks.com/kitecast or on YouTube at https://www.youtube.com/c/KiteworksCGCP.