Securing the Future: Lessons on AI, Compliance, Supply Chain Security, and Leadership from Cybersecurity Leader Dale Hoak
- The Cybersecurity Podcast
In this episode of the Cybersecurity Podcast by EC-Council, host Jay Bavisi speaks with Dale Hoak, a seasoned cybersecurity leader with a distinguished background spanning military service in the U.S. Navy to managing the New York Police Department (NYPD) Security Operations Center (SOC). Dale currently serves as CISO for RegScale, a platform focused on continuous controls monitoring and compliance automation. His journey from military service to high-stakes cybersecurity is a trial by fire, sharpening character and skill and delivering hard-earned lessons at every turn.
The discussion opens with Dale’s journey and moves through high-stress cybersecurity environments, compliance challenges, AI integration in security, supply chain risks, and leadership advice for future CISOs.
Explore the right career option
After retiring from the U.S. Navy in 2017, Dale sought stability and initially started a compliance role. Upon realizing it wasn’t the right fit, he chose to pivot, prioritizing work that resonates with his interests. He moved into security operations, which transformed his career as he navigated through the intricacies of the role.
Impact of a high-intensity environment on professional growth
The high-intensity atmosphere of the NYPD SOC had a transformative effect on Dale. Work pressure was immense; every action carried significant consequences for the safety of officers and the public; and all were dependent on the security of a vast and intricate network. Moreover, given the constant influx of critical information from agencies such as the FBI, CISA, and the Department of Homeland Security, it was essential to maintain a secure and accurate operating environment.
Dale’s military training had instilled discipline and readiness in him, but these values became more tangible in the real-time demands of the role. Managing the New York City network required vigilance and swift and informed decisions under pressure. Threat intelligence was a requirement as well as a matter of public safety, where every detail counted. These experiences deepened his admiration for cybersecurity, fostering a strong appreciation for its vital role in protecting individuals and sensitive municipal data.
Lessons from a Log4j security breach
One of the most impactful real-world challenges faced by the NYPD SOC was the Log4j vulnerability. Initially, the true scale and intensity of the threat were unclear, and it was not immediately evident which systems were affected, whether Windows, Linux, or other platforms. As the situation evolved, it became clear that an effective response depends on an accurate and comprehensive understanding of the entire network. Efforts to identify vulnerable assets were slowed due to outdated processes and procedures. The entire experience underscored the need for modernizing asset management and the importance of maintaining a current Software Bill of Materials (SBOM) to track where every component resides within the infrastructure.
The lesson drawn from the crisis was clear: without latest processes, asset visibility, and automated tools, organizations will fall back when confronting fast-moving cyber threats.
CISOs lead the shift to proactive security
Compliance has always been regarded as a mere checkbox activity; organizations focused on meeting regulatory requirements enough to satisfy authorities. This unmistakably led to a disconnect between compliance and security, for being compliant did not necessarily mean being secure.
Today’s CISOs recognize that this outdated approach is no longer acceptable. They are striving to reframe compliance from a burdensome cost center into a dynamic business enabler.
Compliance operations have evolved to integrate compliance considerations at the earliest stages of development, ensuring developers themselves are part of the compliance loop. By leveraging standards such as the Open Security Controls Assessment Language (OSCAL), organizations can produce machine-readable outputs that offer immediate visibility into the security posture of their systems.
Manage AI risks in compliance automation
Integrating AI into CI/CD pipelines brought about a unique set of challenges, especially due to AI hallucinations and the unpredictability of code generated by LLMs. The core issue was traced to the rapid commercialization of AI. This tendency reflected a broader market dynamic where the push for innovation outpaced the development of adequate safeguards. Security leaders described their initial apprehension, comparing the rise of AI to a “Skynet moment” for the industry, but also noted that, with time, they recognized AI as a new frontier for business enablement, if the right security frameworks are established.
Security leaders emphasize the need for comprehensive monitoring and oversight. Without measures, AI could generate outputs that could lead to risks through hallucinated or contextually incorrect data. Security professionals must reassess their approach and adapt their oversight strategies to the evolving technology.
Balancing speed and security: The CISO’s AI dilemma
Security professionals consistently struggle with limited budgets, resources, and time. AI addresses these gaps by optimizing resources and automating routine tasks, saving valuable time and effort. Nevertheless, despite the advantages, human oversight is indispensable.
Safeguards such as firewalls, access controls, and vigilant monitoring are necessary to prevent risks such as data poisoning and hallucinations. The quick global adoption of AI technologies has created significant pressure on organizations to keep up, with a prevailing narrative that says failing to use AI equates to falling behind.
Adapt to the rapid pace of AI adoption
Organizations are being pressured to implement AI solutions or risk becoming outdated. CISOs must recognize that AI is an unstoppable force and a powerful business multiplier. To keep pace, security leaders must quickly get skilled in how agentic AI systems function within their environments.
When integrating AI products, organizations should demand transparency from vendors by requesting model cards. CISOs should also consider how their AI systems are protected, including firewalls, access controls, monitoring, and integration with security information and event management (SIEM) tools. By taking a proactive approach, security leaders can help organizations harness AI’s benefits while managing the risks it poses.
Navigate the new frontier: Copilot and enterprise AI adoption
Agentic AI is changing the fabric of enterprise operations. CISOs should understand that integrating tools such as Microsoft Copilot into everyday work embeds AI directly into the workflows, where it can ingest and process business-critical data often without clear boundaries. CISOs should also understand how AI models are built, what data they consume, and how information can flow across multiple LLMs, often beyond direct control.
Turn your employees into cyber defenders
As AI-driven threats grow prevalent, the responsibility of safeguarding data should no longer be limited to IT and security teams. Organizations must educate all other teams on data usage storage and data protection. Ongoing monitoring and insider threat management are critical. Fostering this awareness transforms employees into frontline defenders against evolving cyber threats.
Reframe compliance from checklist to culture
Compliance has often been viewed as a regulatory checkbox. However, to create a compliance-driven mindset, CISOs must reframe it as a must-have goal that supports organizational improvement. Embedding compliance into the culture means demonstrating its value beyond avoiding penalties, helping teams view it as a path to stronger security and resilient business. By making compliance integral to daily operations, organizations transform it from a cost center into a core component of their security posture.
Cyber resilience beyond compliance
Achieving high levels of cybersecurity resilience requires compliance and a holistic approach including robust training, strong security operations, and good cyber hygiene. Employees should be trained and aware of the measures to maintain a secure environment. Security tools, from scanners to access controls and multi-factor authentication, should feed data into a centralized system for monitoring and orchestration. The outputs, when managed properly, drive compliance as a natural outcome, not a checkbox.
Confronting supply chain and third-party risks
Supply chain and third-party vendor risks are now more prominent than ever. For startups and small-scale organizations, managing vendor risk can be especially challenging. Security leaders must educate their teams on the implications of supply chain security. Effective supply chain security requires awareness, knowledge, and vigilance across development teams.
Building trustworthy AI and cybersecurity practices
As organizations depend on AI for both operations and security, the integrity and transparency of these systems have become critical. Vendors must build secure products, provide clear documentation, and openly share SBOMs to build trust. CISOs and their teams should stay informed, leverage expert advice, and maintain constant vigilance.
In a world where attackers need only succeed once but defenders must get it right every time, strong supply chain security demands constant diligence and rapid response.
Is AI in cybersecurity a boon or a curse?
Dale believes that AI will initially create more problems by empowering threat actors with advanced capabilities. However, he is of the opinion that defenders will eventually catch up and use AI to strengthen security once the industry adapts to new risks.
CISO accountability and the boardroom
While CISOs often bear the blame after cyber incidents, their main responsibility actually lies in communicating the risks to the board. Maintaining operational awareness and presenting risk in relatable, business-focused terms is crucial for securing funding and support, ideally before an incident occurs.
Dale advocates a shift in perspective: the CISO should be seen not as a lone operator. Like other C-suite leaders, the CISO needs a team comprising security officers, architects, analysts, and cross-functional partners. This will help to respond flexibly as challenges evolve.
Advice for the next generation of CISOs
For aspiring CISOs, Dale suggests viewing security as just one part of a larger business puzzle. Flexibility, open communication, and leading by example are essential. A CISO must set the tone for security culture, remain adaptable, and consistently reinforce policy.
Dale Hoak’s candid insights drive home a fundamental truth: the role of the CISO has never been more complex, challenging, or vital to organizational success. As the threat landscape continues to evolve, so must the office of the CISO, transforming from an individual contributor role into a collaborative, adaptable force at the heart of enterprise resilience. The path forward lies in continuous learning and clear risk communication, ensuring that cybersecurity is woven into the fabric of every organization. Watch episode 6 of The Cybersecurity Podcast Blind Trust, AI & the New Cybersecurity Reality| Dale Hoak.
For more conversations shaping the future of cybersecurity, subscribe to the Cybersecurity Podcast by EC-Council.
