Cyber Means Business: Matt Hillary on Why Security Leaders Must Become the “Department of Know”

Today’s security leaders can no longer operate as gatekeepers focused solely on blocking risk, argues Matt Hillary, chief information security officer at Drata. Instead, CISOs must serve as strategic business advisors who help organizations innovate responsibly, and build trust at scale.

Matt Hillary used to believe cybersecurity worked like engineering: if you built the system carefully enough, you could eliminate failure. But after almost 20 years in security leadership roles at Amazon Web Services, Adobe, Ernst & Young, and now Drata, he realized the modern CISO carries an impossible expectation: preventing every threat in an environment where risks evolve daily. The turning point came when a friend challenged his “zero tolerance” mindset, telling him perfection simply doesn’t work in cybersecurity. That conversation reshaped how Hillary approaches leadership. Today, he says security teams can no longer operate as the “Department of No” in a quest to quash all risks. Instead, they must become the “Department of Know,” helping businesses understand risk clearly enough to make smart, informed decisions rather than trying to eliminate uncertainty entirely.

In this edition of Cyber Means Business, Hillary, Drata’s chief information security officer, argues that modern security leaders can no longer operate as gatekeepers focused solely on blocking risk. Instead, CISOs must evolve into strategic business advisors who help organizations move faster, innovate responsibly, and build trust at scale.

That shift from risk guardian to business strategist, Hillary says, requires security leaders to fundamentally rethink how they communicate with executives, boards, and business stakeholders. Technical controls still matter, but the most effective CISOs increasingly frame cybersecurity in terms of business enablement, operational resilience, customer trust, and measurable outcomes.

At Drata, an AI-native platform that centralizes governance, risk, compliance, and trust management, Hillary oversees security, information technology, governance, risk, and compliance functions. Hillary says Drata’s mission aligns closely with his broader philosophy around security leadership: building trust through transparency, accountability, and continuous visibility into risk.

As organizations race to adopt artificial intelligence while simultaneously facing emerging regulatory frameworks like the European Union’s AI Act and expanding state-level AI governance efforts in the US, Hillary believes the role of the CISO is becoming increasingly intertwined with broader business strategy.

Joan Goodchild: Many CISOs have historically been viewed as the “Department of No.” How does that need to change?

Matt Hillary: For a long time, security teams were positioned as the people who blocked initiatives, slowed projects down, or rejected new technologies because of risk concerns. That approach does not work anymore, especially in environments where businesses are under pressure to move quickly and innovate continuously.

Security leaders need to evolve into what I call the “Department of Know.” That means helping the business understand risk clearly enough to make informed decisions instead of simply shutting things down. The role of the security team is not to eliminate all risk. It is to help the organization take the right risks responsibly.

That requires CISOs to become strategic advisors. Instead of speaking purely in technical language, they need to explain how security decisions affect revenue, customer trust, operational resilience, and business growth. When security teams position themselves as enablers instead of blockers, they become much stronger partners to the business.

What prevents many security leaders from making that transition successfully?

One of the biggest challenges is communication. Security professionals are trained to think technically, but boards and executive teams are focused on business outcomes. If a CISO walks into a board meeting talking only about vulnerabilities, controls, or tooling, they are probably going to lose the room pretty quickly.

Executives want to understand what those issues mean for the organization. Does it affect customer trust? Does it create operational disruption? Could it impact revenue or slow down strategic initiatives?

The most effective CISOs learn how to translate security into business language. They focus on outcomes instead of technical detail. That shift changes how the entire organization views security.

How is board-level scrutiny changing the way CISOs communicate risk?

Boards are asking much more sophisticated questions than they were even a few years ago, moving beyond whether organizations are protected to how cyber risk could impact revenue, regulatory exposure, operational resilience, and shareholder value. Security is no longer viewed as a purely technical issue. It is increasingly tied to enterprise risk, governance, and business continuity.

That means CISOs need to present risk in a way that is measurable and understandable. Instead of only discussing security posture in technical terms, they need to explain how risk is trending across the business and what that means operationally.

There is also much more emphasis now on continuous assurance rather than point-in-time assessments. Organizations cannot afford to treat risk management as something that happens once a quarter or once a year anymore. Risk changes constantly, especially in cloud environments and highly interconnected ecosystems.

Boards increasingly want confidence that organizations can identify issues quickly, respond quickly, and continuously validate that controls are functioning as intended.

You have said organizations may be overcorrecting on artificial intelligence adoption. What are you seeing?

In many industries, especially highly regulated sectors like finance, healthcare, and government, organizations are reacting to AI with blanket restrictions or outright bans. That response is understandable because there are legitimate concerns around privacy, governance, intellectual property, bias, accuracy, and security.

But completely shutting down experimentation can also create problems because of opportunity costs or employees finding ways to use these technologies. Innovation ultimately does not completely stop simply because policies say no.

I often compare AI adoption to learning how to surf. You cannot learn by standing safely on the shore forever. At some point, organizations have to get into the water and learn how to operate in that environment responsibly.

The key is balancing innovation with governance. AI systems are fundamentally different from traditional technologies because they are non-deterministic. A traditional API call gives you a predictable result every time. AI systems do not always behave that way.

Unpredictability is risky because we've built our entire approach to trusting technology on the assumption that systems behave the same way every time. AI breaks that assumption, where the same input, different output, with drift happening potentially invisibly over time. The answer isn't making AI deterministic; it's governing non-deterministic systems through oversight and continuous verification at machine scale.

That means organizations need to build trust gradually through governance, testing, monitoring, and transparency.

How is risk management evolving as organizations become more interconnected?

One of the biggest shifts is the move from static risk assessments to continuous risk management. Historically, companies conducted annual assessments or periodic reviews that quickly became outdated. That model no longer works in modern environments where changes happen constantly.

Organizations now need living risk management systems that provide continuous monitoring and ongoing validation. That applies internally as well as across third-party ecosystems.

Third-party risk has become especially important because companies are increasingly interconnected. An organization is often only as strong as its weakest vendor, partner, or supplier. If a third party experiences an incident, the impact can spread quickly across customers and business partners.

Real-time visibility into risks and continuous monitoring of risk-mitigating controls are becoming essential because organizations need the ability to identify issues early and respond rapidly when something changes.

How do CISOs balance pressure to move quickly with growing regulatory demands?

That balance is becoming one of the defining leadership challenges for modern CISOs. Businesses want speed, but regulators want accountability, transparency, and strong controls. The answer is not slowing everything down. It is building governance models that allow organizations to move faster safely.

One way organizations accomplish that is through shared controls and continuous monitoring. Instead of rebuilding compliance efforts from scratch every time a new framework or regulation appears, companies can create foundational controls that map across multiple standards. That reduces duplication and allows teams to focus only on the specific changes required by new regulations.

When governance and visibility are built into operations continuously rather than handled manually at isolated points in time, organizations become more agile. Security and compliance stop functioning as barriers and instead become mechanisms that support sustainable growth.

What do you think defines successful modern CISOs?

The role has expanded dramatically. Today’s CISOs are not just security builders and operators. They are business leaders, risk advisors, effective communicators, and strategic partners.

The most successful CISOs understand the business deeply enough to connect security decisions directly to organizational goals. They know how to build trust across the company, communicate clearly with executives and boards, and create programs that enable innovation responsibly.

At the end of the day, cybersecurity is fundamentally about trust. Organizations that can build and maintain trust with customers, employees, partners, and regulators are going to be in a much stronger position moving forward.