FRONTIER WITH SECURITY AS THE CORE

At the Microsoft AI Tour in Atlanta, I spoke with Chris Tignor , Chief Security Advisor for Media & Entertainment at Microsoft and a former CISO. We discussed what it takes to lead securely in an AI-driven world and why many organizations are further behind than they think.

The backdrop was Microsoft ’s CFO ebook, The CFO’s Role in Building a Frontier Firm, which opens with a striking finding: 87% of CFOs believe their cybersecurity posture is strong. Yet 61% of those same CFOs have experienced three or more major incidents in just 18 months, and 71% have suffered losses exceeding $5 million. That gap between confidence and reality is not a technology problem. It is a governance problem—and one Chris has spent his career addressing.

As a board director serving on risk and innovation committees, I find this data both alarming and actionable. The questions I brought back from Atlanta are ones I now put to every management team I work with.

80% Planning, 20% Execution

Chris opened with a principle that cuts through AI enthusiasm: most of the work of AI adoption happens before a single model is deployed. His framework “govern, manage, secure” is simple but demanding.

• Govern means defining accountability for AI success and failure across the business: not just IT, but business leaders, the CFO, and Legal. The first question is foundational: what do we want AI to do?
• Manage means knowing exactly what data AI can access across systems and devices. Without that visibility, no control is reliable.
• Secure means tracking all AI agents and treating security as the infrastructure that enables sustainable innovation.

This sequencing matters. Organizations progress from AI assistants to human-led agents, to fully agent-operated processes. In every phase, governance and security are prerequisites.

From the boardroom, I have seen too many AI pilots launch with enthusiasm while governance lags. A critical question for any board is whether governance is leading or being retrofitted after the fact.

As Chris put it: security must be at the core, not a bolt-on.

The Cost of Getting It Wrong

The ebook quantifies the stakes. The global average cost of a data breach is approximately $4.88 million, with the largest drivers being lost business and operational disruption.

Organizations that deploy security AI and automation extensively reduce breach costs by up to $2.2 million and shorten detection and containment time by roughly 100 days. That is measurable ROI that belongs in capital planning.

Chris was direct: CFOs are often measuring the wrong things. Compliance metrics such as access reviews, certifications, clean audit reports are lagging indicators. They document the past but do not illuminate current risk.

Instead, leaders should ask forward-looking questions:

• What is our current risk exposure from unsanctioned AI tools?
• What controls are in place today?
• What recent incidents have occurred, and how are they being addressed?

The ebook reinforces this shift. It positions the CFO as translating technical exposures into expected-loss scenarios, factoring in downtime, revenue impact, customer churn, and regulatory penalties and funding the highest risk-adjusted returns.

As a board director, I now ask not for posture ratings, but for specific controls tied to the most material risks. The answers are far more revealing than any dashboard.

The CFO–CISO Relationship

One of the most direct insights from Chris: CFOs and CISOs often do not build relationships until a breach forces the issue, when disclosure deadlines loom and decisions must be made quickly.

The SEC now requires disclosure of material cyber incidents within four business days of determining materiality. Without predefined protocols and decision rights, that window is extremely tight.

Leading organizations prepare in advance. Some run regular breach simulations, align Legal, Finance, and Security on disclosure protocols, and rehearse board communications before an incident occurs. These should be standard practices.

Chris’s prescription is straightforward:

• Regular one-on-one conversations between CFO and CISO
• A shared vocabulary focused on business risk, not technical detail
• Joint tabletop exercises to simulate breaches and decision-making

These exercises often reveal misalignment. Resolving those differences in advance builds trust for when it matters most.

CISOs typically bring technical depth; CFOs bring governance and financial discipline. The bridge between them is the language of risk.

I have served on boards where this relationship barely exists outside formal reporting. It is one of the most consequential and fixable gaps in enterprise security.

Governing Data: The Foundation

Both the ebook and Chris emphasized a central point: AI is only as trustworthy as the data it learns from. Data governance is foundational.

For CFOs, effective data governance provides:

• Visibility into where sensitive data resides
• Clarity on how it is used
• Control over who and what can access it

These are the inputs required to quantify risk, meet compliance obligations, and ensure AI systems operate within appropriate boundaries.

The ebook’s 24-month roadmap reflects this priority. It begins not with technology deployment, but with:

• Mapping critical data and obligations
• Defining decision rights across leadership
• Establishing a multi-year investment plan

Only then do classification, labeling, and technology implementation follow.

From a board perspective, data governance deserves the same rigor as financial controls. The question is not whether a policy exists, but whether the organization can demonstrate with evidence that it works.

That distinction becomes critical under regulatory scrutiny.

The Frontier Firm: Three to Five Years Out

Looking ahead, Chris described the defining characteristics of a secure frontier firm: strong data governance and robust identity management.

The identity dimension is where many organizations are least prepared. In an AI-driven environment, employees will increasingly manage AI agents acting on their behalf. Those agents will require identities, permissions, and oversight just like human users.

This expands identity and access management from people and service accounts to include AI agents. Organizations that fail to prepare for this shift will face new and unexpected risks.

The ebook describes the end state as human-led, agent-operated: systems where humans set direction and agents execute workflows under continuous governance. CFOs in this model shift from cost control to orchestrating enterprise-wide transformation.

But reaching that stage securely depends on having data and identity foundations already in place.

Underlying all of this is trust. As Chris noted, trust is built slowly and lost quickly. Cyber insurance markets reflect this reality: underwriting increasingly evaluates governance, identity security, and incident readiness. Pricing becomes a signal of actual risk posture.

Organizations that excel in governance and preparedness not only reduce risk but also free capital to reinvest in innovation.

Questions for the Boardroom

Conversations like this provide something boards rarely get in cybersecurity discussions: concrete questions instead of general reassurances.

Here are the questions I am now bringing to every board and risk committee:

• Has the CFO reviewed controls against our top security risks in the last quarter?
• When did the CFO and CISO last meet outside formal reporting, and what did they discuss?
• Have we conducted a joint tabletop exercise in the past year?
• Can we demonstrate that our data is properly classified, governed, and auditable today?
• Do we have a governance framework for AI agents including their identity, access, and oversight?
• Is cybersecurity investment framed as risk-adjusted return, or treated as IT expense?

The gap between perceived strength and actual incidents is not a failure of technology. It is a failure of governance, relationships, and measurement.

Those are problems boards can help solve but only if they ask the right questions.

That is what it means to be a frontier firm.

Watch our conversation here: https://youtu.be/xpgDEhbQts4

Read Microsoft 's CFOx CISO ebook here: https://info.microsoft.com/am-eraai-ebook-fy26-01jan-21-the-cfos-role-in-building-a-frontier-firm-srgcm15859_lp01-registration---form-in-body.html?wt.mc_id=AID3082500_QSG_EML_671440

 #MicrosoftAITour #MicrosoftAmbassador