Most organizations are racing to adopt AI without considering the security implications. Justin Greis, former leader of McKinsey’s cybersecurity practice and founder of an AI-powered consulting firm Acceligence, explains why this approach creates risk and how security leaders can change the conversation.
Companies are deploying AI at different maturity levels. Some distribute AI tools to business units and wait for use cases to emerge. Others push boundaries with advanced algorithms. Few consider the associated risks. The right stakeholders often aren’t in the room when AI decisions are made, either because organizations want to move fast or because security teams are underfunded and focused on daily operations. Technology companies are making AI capabilities available at unprecedented speeds, leaving organizations uncertain about securing and deploying these tools responsibly.
Security should be the foundation of trust, not an afterthought. McKinsey research found that customers make buying decisions based on product security when companies can demonstrate testing and rigor. A secure, certified product materially influences purchasing choices compared to alternatives without visible security standards.
Greis emphasizes that compliance certifications like SOC 2 or ISO represent minimum requirements, not security maturity. Organizations secure enough to meet business objectives naturally achieve compliance. The goal is translating business initiatives into security requirements that exceed baseline standards.
The Chief Information Security Officer position has shifted from back-office administrator to business enabler. AI has accelerated this change by converging infrastructure, technology, and cybersecurity into unified platforms. CISOs now have opportunities to demonstrate how they understand business context and can help organizations move faster and safer.
The challenge for security leaders is communication and relationship building. Years of underfunding forced CISOs to focus on survival rather than strategy. As security functions reach parity with other departments, more leaders can engage at the executive and board level. This shift requires CISOs to develop storytelling skills that contextualize security metrics for business audiences rather than overwhelming boards with technical details.
As AI agents begin making decisions without human oversight, organizations face new risks. The push to remove humans from decision loops creates efficiency but introduces vulnerabilities, particularly when AI accesses data it shouldn’t process or makes decisions affecting vulnerable populations. Companies need frameworks to identify where human oversight remains necessary and mechanisms to monitor those boundaries.
Organizations implementing AI successfully have thought through secure development lifecycles, DevSecOps, and product operating models. Those starting from scratch face larger organizational changes to incorporate security, privacy, and responsible AI practices into development workflows.
LinkedIn:
https://www.linkedin.com/in/justingreis/
Transcript
Patrick Spencer (00:01.585)
Hey everyone, welcome back to another KiteCast episode. I’m your host for today’s show, Patrick Spencer. We have a real treat today: Justin Greis is joining us. Justin, thanks for making time to speak to us.
Justin Greis (00:12.674)
Yeah, thanks, Patrick. Happy to be here.
Patrick Spencer (00:14.493)
Looking forward to this conversation. Quick intro—this barely does him justice. Justin is founder and CEO of Acceligence, an AI-powered consulting firm focused on technology, cybersecurity, risk, and strategy. He formerly led McKinsey’s security practice and was a founding member of EY’s cybersecurity, technology, and digital practice. He serves on the board for the Kelley School of Business at Indiana and on the board of Ravinia. He’s a frequent keynote speaker and published thought leader. He holds an MBA and a BS from Indiana University and completed the Harvard Business School Executive Leadership Program. You just launched Acceligence, intertwining cybersecurity and AI as many rush headfirst into AI and treat security as an afterthought.
Justin Greis (01:22.646)
Yeah, thanks, Patrick.
Patrick Spencer (01:41.393)
Many organizations…
Justin Greis (01:42.990)
AI is transforming everything. Companies are at very different stages—some toss AI to business units to find cost cuts and automation, few think about risk. Others are pushing boundaries as tech vendors ship capabilities at breakneck speed, leaving buyers asking how to secure and use them responsibly. After 25 years in tech, cyber, and digital consulting, I’ve never seen a trend move this fast. Consulting firms are racing to help clients figure it out.
Justin Greis (03:47.543)
So I founded Acceligence, an AI-powered management consulting firm focused on technology, cybersecurity, risk, and strategy. I’m building platforms to help companies adopt AI responsibly and to deliver services faster with smaller teams. We should be live by mid-September, around when this podcast goes out.
Patrick Spencer (04:38.983)
We’ll dig into IBM’s Cost of a Data Breach report and its AI angles. First, your background: EY for years, then McKinsey for four or five, now your new company. How did you transition from business school into a cybersecurity career?
Justin Greis (04:55.918)
Sure.
Patrick Spencer (05:07.111)
How did that path unfold?
Justin Greis (05:12.412)
I started at Indiana University’s Kelley School of Business, loved it, kept guest lecturing, then joined the faculty in 2008. I joined EY out of school in IT audit and lasted six months—I was the worst auditor. In one review, I sketched a solution on the whiteboard; the client loved it, but my manager said, “That’s great consulting—we can’t do that as auditors.” I moved into consulting instead, because I’m wired to solve problems, not just find them.
Patrick Spencer (08:00.999)
Go pen the paper. Hang on.
Justin Greis (08:02.998)
Post-Capgemini, EY’s retained advisory core was cybersecurity—maybe 50 people. We grew it to ~7,000 globally starting in 2004. I helped found tech strategy, made partner, helped found digital, then returned to cybersecurity in 2018. McKinsey later asked me to help scale their cyber practice—using that platform to elevate cyber to the board and C-suite was some of my most impactful work.
Patrick Spencer (11:33.105)
When taking cyber to boards at McKinsey, did you go through the CISO? Who sponsored you in, and are CISOs getting better at those discussions?
Justin Greis (12:06.414)
Rarely was the CISO our client. We were brought in by CEO, CIO, CRO, COO, or BU heads on business matters where cyber was a blocker. CISOs who engaged us were business-minded and sought bridge-building. The role has evolved from back-room technologist to business enabler, accelerated by convergence of infrastructure, technology, and cyber—and catalyzed by AI. More executives now hold combined CTO/CIO/CISO-style portfolios. Biggest CISO gaps: communication, engagement, and relationships, after years of underfunding kept them heads-down. That’s changing fast.
Patrick Spencer (17:45.405)
You argued cyber must be a business enabler. How does a CISO make that case—win customers, build trust, support launches?
Justin Greis (18:29.122)
Cyber is the foundation of trust and can be a differentiator. McKinsey’s digital trust work showed customers choose secure, tested products with visible rigor. Externalize capabilities—certifications, assurance, resilience—as customer-facing signals. At RSA, we convened CISOs and board members with NACD to align on elevating trust and getting CISOs in the room.
Patrick Spencer (22:55.941)
On compliance (SOC 2, ISO, NIST, NACD): does compliance improve security, and will regs help with AI data risk?
Justin Greis (24:50.540)
Don’t confuse security and compliance. You can be compliant and not secure; if you’re secure, compliance follows. Certifications are minimum bars—useful rigor but not the target maturity. Translate business goals into security capabilities; that typically exceeds minimum thresholds. Regulations are like speed limits—guidance and enforcement that prevent deprioritizing security, especially in banking. Bake them in, aim higher.
Patrick Spencer (29:03.675)
Will AI become part of control frameworks like NIST?
Justin Greis (29:31.727)
It’s happening. Ethical/business use and technical controls are converging: data monitoring, segregation, MLOps, red-teaming, secure SDLC. In product operating models, decentralization requires developers to own security, privacy, and responsible AI controls with security providing tooling and oversight.
Patrick Spencer (32:28.229)
With AI risk, are self-assessments overconfident like we see in CMMC?
Justin Greis (33:15.546)
Yes. Tests of design vs. operating effectiveness reveal gaps, especially enterprise-wide coverage. Surveys tend to overstate readiness. Culture matters: psychological safety enables honest risk disclosure and better outcomes. That’s why we worked with NACD—create conditions for candor at the top.
Patrick Spencer (37:35.354)
Describe the NACD event at RSA.
Justin Greis (37:45.561)
We brought CISOs and board members together. Consensus: cyber is a differentiator; CISOs must up-level storytelling to context and outcomes; boards need better tech acumen. Don’t barrage boards with raw vuln and phishing stats—tell the business story of why risk changed and what it means.
Patrick Spencer (42:26.267)
AI risk: what will trigger broader security thinking—agents, supply-chain effects?
Justin Greis (43:25.112)
The push to remove humans from the loop worries me—decisions in insurance, finance, and for vulnerable populations can become existential risks. Turning agents loose on sensitive data without guardrails is dangerous. Keep humans in the loop at defined points; establish oversight for when they’re removed. Measure and manage that risk.
Patrick Spencer (47:08.945)
We could go on; where can people find you and your company?
Justin Greis (47:30.872)
Find me on LinkedIn. Visit acceligence.com—spelled A-C-C-E-L-I-G-E-N-C-E dot com. We should be live mid-September. Would love to connect.
Patrick Spencer (47:54.375)
We’ll be watching. Thanks, Justin. For other episodes, visit kiteworks.com/kitecast.
Justin Greis (47:57.272)
Thank you. Appreciate it, Patrick.
Justin Greis (48:08.943)
Thank you.