For Jigar Shah, cybersecurity has never been primarily about technology. Throughout more than two decades leading global cybersecurity, technology, and digital transformation initiatives, he has viewed security through a different lens: trust. Trust between organizations and customers. Trust between employees and systems. Trust that innovation can move forward without creating unnecessary risk. It is a philosophy that has shaped his approach to leadership, helping organizations transform cybersecurity from a control function into a business enabler that supports growth, resilience, and innovation.
That perspective makes Shah a particularly compelling guest for CISO Diaries, a series that explores how security leaders think beyond frameworks, policies, and technology. With a background spanning cybersecurity, product innovation, digital transformation, business strategy, and law, Shah brings a multidisciplinary view to some of the biggest challenges facing organizations today. In this conversation, he discusses the tension between AI adoption and risk management, why culture often matters more than technology, and how security teams are evolving into stewards of trust as humans and AI increasingly work side by side. For Shah, the future of cybersecurity is not simply about protecting systems—it’s about enabling confidence in a world where decisions, interactions, and business outcomes are becoming increasingly automated.
How do you usually explain what you do to someone outside of cybersecurity?
I help the business innovate at full speed without driving off a cliff. I’m responsible for helping the company use technology safely. I tell people my job is to help the business move fast without taking unnecessary risks. When people hear “cybersecurity,” they often imagine someone sitting in a dark room fighting hackers all day. The reality is much different.
I tell people my job is to protect trust. Trust between patients and providers. Trust between our clients and our company. Trust that when someone logs into a system, their data is safe and available.
At the end of the day, I’m in the business of protecting trust.
What does a “routine” workday look like for you, if such a thing exists?
There’s really no such thing as a routine day in cybersecurity. Every day starts with a plan and ends with a surprise.
One hour I might be discussing AI governance with executives, the next reviewing vulnerabilities, and later helping teams enable a new business initiative securely. My day is usually a mix of strategy, risk management, leadership, and occasionally responding to unexpected events that require immediate attention.
The only predictable thing about cybersecurity is that it’s unpredictable.
What part of your role takes the most mental energy right now?
Keeping innovation moving while keeping risk from moving with it.
Right now, it’s AI.
Every business leader is asking, “How do we adopt AI faster?”
At the same time, security leaders are asking, “How do we protect data, maintain compliance, and avoid creating new risks?”
The challenge isn’t stopping AI. The challenge is creating guardrails that let people move quickly without putting the organization at risk.
Organizations want to move quickly with AI, cloud technologies, and automation, and rightly so. The challenge is helping the business realize those benefits while making sure security, privacy, and compliance keep pace.
What’s one security habit or routine you personally never skip?
I never ignore updates or security alerts on my devices. Most successful attacks exploit something simple that was overlooked. Security isn’t usually about one big mistake – it’s often a series of small ones.
Convenience is temporary. Recovery can take months.
What does your own personal security setup look like?
Nothing fancy – just consistent. I use a password manager, multi-factor authentication everywhere possible, encrypted devices, automatic updates, and secure backups. The best security setup isn’t the most complicated one – it’s the one you’ll actually maintain.
People sometimes expect security professionals to have some elaborate setup.
The truth is the strongest security practices are usually the simplest ones that people consistently follow.
What book, podcast, or resource has influenced how you think about leadership or security?
‘The Speed of Trust’ by Stephen M.R. Covey had a big impact on me. It reinforced something I’ve seen throughout my career: security ultimately comes down to trust. Whether it’s customers trusting us with their data or employees trusting our processes, trust is one of the most valuable assets an organization has.
What’s a lesson you learned the hard way in your career?
You can’t buy your way out of a culture problem.
Technology alone doesn’t solve security problems. Early in my career, I thought the right tool could fix almost anything. Then I watched organizations spend millions on technology while still struggling with security incidents. What I learned is that people, processes, and culture are often more important than technology. Security succeeds when people understand why it matters. If people don’t understand the “why,” even the best tools won’t save you.
What keeps you up at night right now, from a security perspective?
It’s not the threats I know about. It’s the complexity I don’t fully see.
Cybersecurity has always been challenging, but the pace of change today is unprecedented. Organizations are adopting AI, cloud services, third-party integrations, and new digital tools faster than ever. The challenge is maintaining visibility and control in an environment that’s constantly changing.
How do you measure whether your security program is actually working?
The goal isn’t perfect security. The goal is resilient business operations.
I look at outcomes, not activity.
I don’t measure success by how many alerts we generate or how many tools we own.
I ask:
- Are we reducing risk?
- Are we detecting issues faster?
- Are we enabling business growth?
- Can we recover quickly when something goes wrong?
What advice would you give to someone stepping into their first CISO role today?
Learn the business before trying to secure it.
Spend your first few months understanding:
- Revenue drivers
- Customer expectations
- Operational challenges
- Business strategy
- Stakeholders and End Users
The best CISOs are business leaders who happen to specialize in security.
What do you think will matter less in security five to ten years from now?
Security teams will spend less time chasing alerts and more time shaping decisions.
AI and automation will handle a significant amount of operational security work.
I think we’ll spend less time manually triaging alerts and more time focusing on governance, strategy, resilience, and trust.
Security leaders will increasingly sit at the center of business transformation, legal and ethics.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Managing AI ecosystems. Today, we secure users, devices, and applications. In the future, we’ll also be securing AI agents, AI-to-AI interactions, automated decision-making systems, and the data that powers them.
Security teams will become trust and governance teams as much as technology teams. The future of security is becoming the discipline of managing trust between humans, machines, and data.
The future of cybersecurity isn’t just about protecting systems – it’s about enabling trust in a world where humans and AI increasingly work side by side. Organizations that get that balance right will have a significant advantage. And in the age of AI, trust may become the most valuable asset any organization owns.
