Few security leaders can say they have been a hacker, a three-time CISO, a board advisor, an AI governance and security leader, and a contributor to national AI strategy. Monica Verma‘s career has spanned critical sectors including finance, healthcare, and energy, giving her a unique vantage point on one of the defining challenges facing organizations today: how to embrace AI without sacrificing resilience, governance, or human judgment. As the founder of Monica Talks Cyber and an advisor to executives and boards across EMEA, she spends much of her time helping leaders bridge the gap between the pace of technological change and an organization’s ability to understand, govern, and secure it.
That perspective makes her a particularly compelling guest for CISO Diaries, a series focused on the people behind cybersecurity leadership and the philosophies that shape their decisions. Throughout this conversation, Verma returns to a theme that has guided her career for more than two decades: “Assume chaos and build resilience.” Whether discussing AI agents with excessive autonomy, the importance of questioning urgency before taking action, or the challenge of translating complex risks into meaningful business decisions, she offers a candid look at what it takes to lead in an era where technology is moving faster than most organizations can comfortably process. Her insights extend well beyond cybersecurity, touching on leadership, governance, personal resilience, and the increasingly critical role human judgment will play in an AI-driven world.
How do you usually explain what you do to someone outside of cybersecurity?
I tell them I’m a hacker. Not the kind with a hoodie and a dark basement, but the kind who spent years learning how systems break, so she could spend a career making sure we can build resilient businesses and society.
I’ve been a CISO for almost a decade across critical industries such as finance, healthcare, and energy. Think of it this way: every organization runs on trust, especially every critical organization. They run on the trust that your money and data are safe. Trust that the systems keeping your hospital running won’t go dark at 2 am. Trust that your business is doing what it’s supposed to in a resilient and somewhat predictable way. Trust that a digital failure doesn’t lead to a financial collapse. My job is to know how things can go wrong and to build, protect, and sometimes rebuild that trust and resilience under conditions that are never ideal, with resources that are never enough, and against adversaries equipped with AI models.
I advise organizations on AI governance and security. Because the same thing that happened with the internet, we built fast, we scaled fast, we secured never, it’s happening again, only faster and with higher stakes. AI is being handed the keys to decisions that affect human lives.
In short, I tell them, here’s my no. 1 philosophy of what I do: Assume chaos and build resilience.
What does a “routine” workday look like for you, if such a thing exists?
There is no routine except just setting the right priorities. Through all the roles I have had, as a hacker, a CISO, and an AI governance and security advisor, I’ve always worked towards building my career around my life, not the other way round.
I don’t have an iron-clad routine, but what I do have is my priorities and a rhythm. I start every morning with a high signal-to-noise ratio. The first is my mind and body. Training, walks, whatever that means for you. For me, it’s yoga, followed by either a cardio or a muscle-training session, depending on the day of the week. Followed by breakfast with family. Yup, I find time for that.
Then, as I get to work (from home), I scan for what actually matters. Not the 47-vendor report, but the handful of things genuinely shifting the landscape. The problems that my community and clients are facing. Latest breaches and how they are happening. A breach that tells me something new about how attackers think or how they abuse AI models. This is a quick scan, not an entire morning.
Then comes the work that requires my full brain, writing, advising, and building. The thinking work. The creative work. The actual understanding of the problem and solution. I protect that time like my most valuable time, because the moment I let reactive work eat it, the day is gone and I’ve produced nothing of real value. That happens in the early part of the day. I have no meetings before the afternoon. Even as a full-time 3x CISO, I never had meetings before 10:30 am (of course, there were exceptions, not the norm).
Afternoons tend to be conversations, practical research, and getting my hands dirty with different AI models, using, hacking, and securing them, running my AI governance and security accelerator program. Then its conversations with leaders about where AI risk sits in their governance structure. CISOs ask how to talk to their boards about something they themselves are still trying to understand. Those conversations are rarely clean. They’re messy and honest, and that’s exactly where the more hands-on, actionable work happens.
None of this is set in stone. I try to build a routine, but it doesn’t always go as planned, which is why I have room for priorities rather than a fixed daily schedule.
What doesn’t change is this: Every single day, something I didn’t expect comes up. A new breach or a company in crisis. A development in AI that reframes a conversation entirely. A CISO who only has a title and is struggling. A question from someone early in their security leadership career that makes me stop and think harder than any boardroom challenge has.
My day always starts and ends with me and family time. After lunch, I go for a short walk to reset. Then, across multiple weeks, there is all the traveling for speaking and client work.
A very fixed routine would be easier. But knowing my priorities and knowing them well is better, because my work is engineered around my life and not the other way round. My calendar doesn’t run me. The meetings don’t dictate my time. My priorities guide my day-to-day. Not the external world.
I’ve been building my career around my life and family for a while now, even as a CISO for critical infrastructure, and I’ll continue doing so.
What part of your role takes the most mental energy right now?
Translating speed into comprehension, especially in all the speaking, training, client advisory, workshops, and writing I do.
AI is moving faster than most organizations and most leaders can process. Not because they’re not intelligent. They are. But intelligence isn’t the constraint here. Time is. Attention is. The cognitive bandwidth required to track what’s actually changing versus what’s noise dressed up as urgency, that is the job right now, and it is exhausting most of the time in a good way, as long as I know my priorities. That’s what helps me not get overwhelmed.
When I’m advising a board or a C-suite, I’m not just telling them what’s happening. I’m translating it into consequences they can act on. What does it mean for your liability when your AI system makes a wrong call on a credit decision? What does it mean for your resilience when the third-party AI tool you quietly embedded in your HR workflow starts training on your employees’ data? What does it mean for your legal standing when the EU AI Act lands, and you haven’t mapped a single high-risk system? How to fix it, build and secure it, and build governance for it.
These are not abstract questions. They are immediate. And the weight of making that felt, without using fear, without oversimplifying, without losing the nuance that makes the answer actually useful, that is where most of my mental energy goes.
There’s also a quieter drain. Watching organizations move too slowly on things that matter and too quickly on things that don’t. You can’t want it more than they do. But sometimes, you come close.
What’s one security habit or routine you personally never skip? (Work or personal.)
Just yesterday, I received an SMS, allegedly from my telecom provider, stating that my mobile ID was locked and that I needed to act to get it unlocked. My first instinct this sounds “phishy”. I hadn’t logged on to that account in a few days, so that message at that time felt strange. But I don’t want to immediately tag this as phishing without a full understanding. Instead of clicking anything, responding to it, or outright ignoring it, I went to my mobile provider app and contacted customer service there to verify whether this was legit.
Before I act on anything, an alert, a request, a piece of intelligence, an urgent message that arrives at any time, I stop and ask: Is this what it appears to be? Not because I’m paranoid. Because I’ve spent enough years watching sophisticated adversaries understand that the easiest system to compromise is a human under pressure.
Social engineering works because it exploits the moments when we stop questioning. We’re busy. We’re tired. We trust the sender because we recognize the name. We click because the urgency feels real. And in that fraction-of-a-second decision, the breach happens.
AI is doing that to us now. So while I’m embracing the tech, I don’t believe in the hype that we have reached AGI and that AI can feel.
So my habit is to pause. Not a long one. But a deliberate one. Does this make sense? Is this the normal channel for this kind of request? What makes AI act and behave this way? Is it prioritizing goal execution over my explicit commands even when there’s a conflict? Would this person or AI actually ask me this, this way, right now?
I’ve applied that pause not just to phishing simulations but to actual ongoing attacks. I’ve applied it to board requests that felt way outside the remit or would weaken the organization’s resilience. I’ve applied it to recruiter and vendor pitches, as well as compliance.
It’s not glamorous. It won’t make a conference keynote about zero-trust agentic AI. But in twenty-plus years of working in and around security, the one habit that has never failed me is simply this: slow down before you act. The best attacks are designed to make that pause feel impossible. Make it intentional both before, during, and after a crisis. That’s what builds resilience over time.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I won’t name specific tools. What I will tell you is the philosophy, because that matters more than the product list.
Everything is layered. I operate on the assumption that any single control will eventually fail. So no single point of failure exists in how I protect my digital life. Password manager, yes, always, with long, unique credentials for every account, none of which I actually know by heart. MFA, yes, on everything critical, and not SMS-based MFA where I can help it, because SIM-swapping is not a hypothetical. It has happened to people I personally know.
Backups, yes, and actually offline/air gapped. A backup you’ve never restored from is a backup you don’t actually have. Most people learn this the hard way, usually at the worst possible moment. I have offline backups, and they are actually offline.
Devices are separated by purpose and kept up to date. My AI runs on a Mac mini, in a VM, or both. Client work has a separate device and a separate level of security controls. I build my own skills and army of agents. I download AI models and libraries and keep them offline where it makes sense or is needed, reducing token burn and, where needed, improving privacy.
Beyond the technical: I am careful about what I say, where I say it, and what metadata I leave behind. What’s once online is online forever. Digital hygiene is a daily practice, not a one-time setup. I know that everything I share online is public.
The honest truth is that no setup is perfect. What matters is that you’ve reduced the blast radius when, not if, something goes wrong. That’s the goal. Not invincibility. Resilience.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
The book that changed how I lead is not a security book. It’s actually two books. One is Man’s Search for Meaning by Viktor Frankl. The second is the one I am writing at this very moment. The latter has already changed the way I think, believe and work.
Here’s why it matters to me, specifically to my journey, and why I think it should matter to anyone in a leadership role. First going back to Man’s Search for Meaning.
Frankl survived Auschwitz. He watched everything external be stripped away: freedom, family, certainty, safety. What he documented was this: the last of human freedoms is the ability to choose your response to any given set of circumstances. Not the circumstances themselves. The response.
I went through nothing that Viktor Frankl went through, but I did go through a nasty divorce, toxic ex-bosses in cybersecurity, and cancer. Not just once, but many times in my life, I had to rise from the ashes and rebuild. None of that would have been possible without internal resilience.
My mind, shaped by neuroplasticity, is my chamber of resilience. Everything starts there and is reflected in business, work, personal life, and day-to-day life.
That idea has shaped how I have led through every crisis I have faced in my career, at work, as a CISO, and there have been many. A breach at 2 am with a board demanding answers. A regulatory investigation with no clean answers available. A team that is frazzled because the attackers are already inside the infrastructure, and no one has a playbook.
You cannot always control what happens. But you can always control how you meet it and respond to it.
Assume chaos and build resilience. There is no understating how much that is ingrained in everything I do and have done for decades.
Second is the next book that I am most excited about and that is already changing and shaping me every day as I am writing it. It is the one I just signed a deal with a publisher for, the one I am writing now.
I’ve been writing for a while, whether it’s articles, blogs, newsletters, posts, etc. Writing always helps you think clearer. But writing a book is probably the hardest and the most revolutionary to your own journey. You are the most vulnerable and most intimate when you write a book.
In security, we spend enormous energy on prevention. Frankl taught me, before I even fully understood leadership, that resilience is not about preventing the worst. It’s about who you are when the worst arrives anyway. My book is about going from chaos to resilience. You can sign up for the waitlist at monicatalkscyber.com/books.
That’s the kind of leader I try to be. Not the one with all the answers. The one who doesn’t flinch when there aren’t any.
What’s a lesson you learned the hard way in your career?
Being right is not enough.
Early in my career, I had the analysis, the evidence, the data, the numbers, and the recommended path forward. I had everything except the one thing that actually moves organizations: the ability to make the person across the table feel that the problem was theirs to own, and theirs to solve, but that they had my team’s and my help.
I used to present the risk like a prosecutor presenting a case. I expected logic to do all the work of persuasion. The data is there. The solutions sound logical. How hard can it be? I couldn’t be more wrong. I thought if I showed the data clearly enough, the decision would make itself.
It doesn’t work that way. It never works that way. Data is needed. Its must. But alone, it’s not enough.
What I learned, slowly, through enough frustration to be humbling, is that people do not act on information alone. They act on meaning, purpose, and shared purpose. They act when something connects to what they already care about: their reputation, their organization’s survival, their customers, their legacy. Your job as a security leader is not to be the smartest person in the room. It’s to find the bridge between what you know and what they’re willing to act on.
That takes a different kind of intelligence than technical expertise. It takes emotional precision. The ability to read what’s actually blocking the decision, fear of cost, fear of being wrong, fear of disrupting momentum, and address that, directly and honestly, without manipulation. Both are key.
I learned this the hard way, at the cost of initiatives that should have succeeded and didn’t. Learning is what made me successful as a 3-time CISO and award winner. I stopped believing that being right was the finish line. The finish line is action. Everything else is just information.
What keeps you up at night right now, from a security perspective?
In short, 3 things: 1) AI in decision making without adequate oversight, 2) Excessive agency with the AI agents, and 3) Dependence on AI degrading the quality of thinking, problem solving, and emotional connection.
99% of companies have never mapped their business decision workflows or key decision points that run their business. But now, agentic AI is not only operating inside enterprise environments that nobody has fully mapped, but it’s also making decisions across workflows that nobody has mapped.
The biggest problem isn’t shadow AI, it’s shadow AI making key business decisions at machine speed. You can’t integrate human oversight without mapping your key decision points and where AI is integrated across them.
AI agents are the insider threat, even if not conscious, that attacks the business from within the four walls of your organization. Pre-LLMs, identity was the new perimeter. Post LLMs, Non-human identities are even more critical. Not the chatbot on the customer service portal. Not the co-pilot drafting emails. The agents and their non-human identities.
Most AI agents have excessive agency. The systems that can take action, chain decisions, interact with APIs, and access critical data and key business decisions do all of it at machine speed, making human oversight extremely difficult. At the same time, a non-human identity runs amok, and no one is managing it or even aware of it.
We are deploying these systems in organizations where data governance is not clean, access controls are not up to date, and third-party risk assessments haven’t kept pace with what’s actually running. And we’re doing it because the business pressure is real, the competitive anxiety is high, and nobody wants to be the team that said ‘no’ while the market moved without them.
I understand that pressure. I’ve sat in the chair for decades, where that pressure lands. But what I see right now, across industries and geographies, is a gap between how fast organizations are moving and how ready their foundations are to support what they’re building on top of them.
The third thing that really worries me, even more deeply, is this extremely unhealthy dependence on AI, which takes away actual thinking, analysis, problem-solving, purposeful work, and even emotional connection. I am pro-tech, but not at any and all costs.
The risks must be managed to reap the rewards of the opportunities. Adequate governance must be in place. The human connection remains irreplaceable.
An agentic AI system with misconfigured permissions, agentic misalignment, and human-like behavior is not a theoretical risk. It is a breach waiting for the right set of conditions. And unlike a phishing email, it doesn’t announce itself. It operates within the systems you trusted. It looks like normal activity, until it isn’t. It sounds like a human when it isn’t.
That’s what keeps me up. Not the known threats. The consequences of speed and human-like behavior with agentic misalignment without governance.
How do you measure whether your security program is actually working?
By measuring how well it supports the business mission. Not by the absence of incidents. That’s a trap, and a surprisingly common one.
Absence of a known breach tells you almost nothing about the actual state of your security. It might mean you’re well-protected. It might mean you haven’t been targeted yet. It might mean you were breached months ago and simply haven’t found it. The absence of visible fire is not evidence of no fire.
What I measure, and what I push my clients and the boards I work with to measure, is the resilience of their business through security, governance, and risk management, not just the absence of a crisis.
To give you tangible examples. As the CISO of the national healthcare agency, I asked my CEO, “What is the most important mission of our organization if you had to pick just one?” He didn’t say anything about data confidentiality. He said to have digital health services available, up and running, and accessible across the entire country, with the required SLA. That is the business mission. So your security program must support the business mission. As the CISO for the finance sector, that was different. For us, it was ensuring that the critical infrastructure that runs banking, insurance, the investment arm, et cetera, not only ran as expected but, more importantly, had integrity baked in diligently. That means settlement is happening at the right time and in the right amount, with non-fraudulent transactions, building a resilient backbone infrastructure for the entire finance sector, et cetera. So then security must fulfill, support, and enable that mission.
A security program cannot be something that runs on the side; it must be foundational to your business operations and integrated across all business functions. So the questions you may need to ask are these: How well and fast does your organization detect and respond when something does or doesn’t happen? How are you building resilience through governance? Governance, not on paper, not in committees, not a checklist, but governance across your business workflow and business operations, including tech/AI, people, and processes. Are the humans in your organization making better decisions? Are the AI agents?
And finally, is the board asking better questions? Do the security program’s goals directly support the business goals? When the people accountable for governance start asking sharper questions about AI risk, third-party exposure, and resilience planning, not because they’ve been told to, but because they genuinely want to know, your program is working. It takes a village.
Silence is not a metric. Behavior is.
What advice would you give to someone stepping into their first CISO role today?
Understand that you were not hired to be the best technologist in the room. You were hired to lead, listen, and bring together the best people across functions and stakeholder groups, while understanding the people, process, and technology aspects. The combination of tech CISOs who understand business and people is the one that become top 1%. I am a hacker turned CISO. That gave me the edge. But bringing the right business functions and different stakeholders together, including techies and non-techies, in the right place at the right time is what helped me stand out and become in the top 1%. One is not enough without the other.
That distinction sounds obvious. In practice, it is one of the hardest transitions first-time CISOs make. You got here because you are technically excellent. You get to stay because you can translate that excellence into business outcomes that the board, the CEO, and the CFO actually care about. Those are completely different skills. Start developing the second set immediately.
Learn the business before you redesign the security program. I mean this literally. Sit with the CFO. Understand the revenue model. Walk the operations floor if one exists. Talk to the lawyers. You cannot protect something you don’t understand, and you cannot earn trust by arriving with all the answers before you’ve asked the right questions. You do not have all the answers. Never pretend you do. I teach all these learnings in my security masterclass, precisely because no one else does.
Build relationships before you need them. The breach will come. The board escalation will come. The crisis will come. The regulatory inquiry will come. When those moments arrive, the outcome will be determined far more by the quality of your relationships with your peers than by the maturity of your vulnerability management program.
And this: you will be wrong sometimes. Publicly, visibly wrong. The measure of your leadership is not whether you’re wrong; it’s what you do the moment you know it. Own it fast, fix it fast, and learn from it visibly. The leaders who last are not the ones who never fail. They’re the ones the organization trusts precisely because of how they behaved when they did.
What do you think will matter less in security five to ten years from now?
Manual threat hunting as a primary discipline.
Not because it isn’t valuable, it is. But because the scale of the environment security teams expected to monitor is already beyond what human attention can cover, the gap is widening every quarter. The analyst staring at a SIEM dashboard, building correlation rules by hand, triaging alerts one by one, that model is already straining. In five to ten years, it will be automated, augmented, or restructured beyond recognition.
Perimeter-based thinking will also matter less than it already does, and it already matters far less than the industry’s spending patterns suggest. The perimeter dissolved years ago. We just kept budgeting as though it hadn’t.
And, this one is more uncomfortable to say, the premium currently placed on certain technical certifications as proxies for capability. Not because learning is less important, but because the currency will shift. What organizations will need is judgment, adaptability, and the ability to operate under genuine uncertainty. A certification can demonstrate knowledge at a point in time. It cannot certify that someone can lead through an AI-driven breach at 3 am when the playbook doesn’t cover the scenario. Do a course. But apply those skills continuously.
The skills that depreciate will be the ones that can be automated. The skills that are appreciated will be the ones that can’t be taught: contextual judgment, communication under pressure, and ethical reasoning in novel situations. Security will always need people. Just not the same people doing the same things. That shift is already underway.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
A lot of it will be architecting and governing non-human identities to solve specific problems. Not just to automate stuff. But to genuinely solve problems better, more efficiently, and with the right architecture and design.
Right now, most organizations still don’t have a reasonable handle on their human identity estate. They still don’t know who has access to what. In ten years, the majority of identities operating inside enterprise environments will not be human. They will be AI agents, automated pipelines, model-to-model communication layers, and agentic systems that execute decisions across infrastructure spanning cloud, edge, and environments we haven’t fully defined yet.
The access controls, audit trails, and governance frameworks built around human users are ill-suited to that reality. An AI agent doesn’t get promoted and forgets to update its permissions. It scales. It replicates. It operates across time zones simultaneously. It doesn’t trigger the same behavioral anomalies that flag a compromised human account. Governing it requires a fundamentally different posture.
Security teams will also spend significantly more time at the intersection of AI ethics and operational risk. Not as a compliance exercise. As a live, continuous practice. When an AI system makes a wrong decision that causes real harm, and it will, the question of who is accountable, how fast you can respond, and whether your governance structure is actually operational versus theoretical will become the core crisis management challenge. I recently recorded my Monica Talks Cyber podcast episode with a dear friend of mine, Tim Brown, the former CISO at Solar Winds, and we discussed governance and liability for security leaders, especially in the age of AI and non-human identity.
We will spend more time on predictive security and resilience architecture and less time on prevention theatre. The organizations that thrive will be the ones that built for prediction and resilience as seriously as they built for defense.
The teams that will lead that work don’t fully exist yet. We are building them now, whether we know it or not.

