Five Takeaways From Cycode’s Shift to AI Episode #1: The CVE Tsunami Is Coming – Are You Ready?

Cycode has debuted its first-ever podcast, Shift to AI, with a conversation grounded in a simple fact: Mythos-class models are here, and security leaders are already operating in the world they’ve created.

The series is hosted by Roland Cloutier, Principal of The Business Protection Group and former Global Chief Security Officer at TikTok, ADP, and EMC. For the first episode, “The CVE Tsunami Is Coming – Are You Ready?”, he is joined by Ramy Houssaini, Chief Cyber Solutions Officer at Cloudflare and a multiple-time CISO, and Phani Dasari, Chief Trust & Resilience Officer at Firstsource, also a multiple-time CISO.

Between them, the three bring decades of experience leading security inside major global organizations and are therefore very well-positioned to discuss what AI-driven development means for security programs, defensive operations, and the future of the CISO role.

Here are five takeaways from the episode.

1. Security is Moving Beyond the “Storm”

We all know that Mythos-class models have changed operating conditions for security teams everywhere. But is this change permanent? Houssaini certainly thinks so, arguing that the industry is no longer dealing with a temporary surge in AI-driven risk. “This is no longer a storm. This is climate change.”

For decades, security programs relied on an assumption that skilled defenders, armed with enough tools and expertise, could think faster than attackers. Houssaini said that the assumption has expired.

AI can discover vulnerabilities in bulk, chain them, and support highly orchestrated attacks. At the same time, advanced capabilities once associated with sophisticated threat actors are becoming more widely available.

Dasari described the shift through four factors: scope, speed, scale, and sophistication.

The implications for defenders were discussed throughout the rest of the podcast.

adadad

2. Architecture Will Become the Ultimate Control

If vulnerability discovery and exploitation move at machine speed, patching on its own cannot hope to carry the defensive load.

Houssaini made the case for a stronger focus on containment, segmentation, blast radius, and recovery. He pointed to metrics such as defender lag, time to contain against adversary time to exploit, and the accessibility of ‘crown-jewel’ systems.

The discussion raised a bigger question for security leaders: if incidents cannot always be prevented, how should environments be engineered so that exploitation does not lead to catastrophic loss?

According to Houssaini, architecture is going to become the ultimate control.

3. Governance Has to Move at a Different Speed

AI readiness is not a tooling problem. Instead, governance repeatedly came up as one of the most important constraints.

Traditional approval cycles can become a serious weakness when both attackers and defenders operate at machine speed. Houssaini argued that organizations need to rethink which decisions can be automated and which require humans “on the loop” to validate execution.

Dasari added that AI governance cannot simply sit with the CISO. It needs the right people around the table, including AI and data leadership, technology teams, business owners, and security.

That becomes particularly important as autonomous agents make decisions that affect business outcomes.

adadad

4. The CISO Mandate is Expanding into Trust and Resilience

Dasari originally joined Firstsource as a CISO. His role evolved into Chief Trust & Resilience Officer, and the reasoning behind that change laid the foundation for one of the episode’s most intriguing discussions.

In an agentic environment, companies depend more and more on automated decisions and outcomes. Model drift, malicious interference, and failures in autonomous systems can lead to consequences that extend well beyond ‘conventional’ information security.

Dasari argued that security leaders need to think in terms of outcome-based assurance and outcome-centric quantification. The discussion explored what happens when the problem is no longer simply whether a system was breached, but whether an AI-driven process produced harmful or incorrect outcomes at scale.

5. Security Teams Will Need More Builders

What needs to change first inside the security organization?

Houssaini said cybersecurity teams need more builders as attack-and-response protocols shift. Security teams will deploy more agents themselves, but they will need to think carefully about agent scope, identity, privileges, and observability.

Dasari brought the conversation back to people. His advice is practical: security practitioners already possess something highly valuable, namely, deep domain knowledge of their own environments. Pair that knowledge with engineering capability, start experimenting, and build AI fluency through real work.

At the end of the episode, the experts offered practical advice for the next 30 days. This included gaining visibility into AI pipelines, LLMs, APIs, third-party AI, and agents, and running a focused experiment against a critical system. Listen to the full first episode of Shift to AI to learn more.

adadad