Diligent Q&A – Timothy Youngblood on emerging cybersecurity threats, the future of AI in security, and the need for cybersecurity education reform
With Diligent's Cyber Risk Virtual Summit just weeks away, we caught up with Timothy Youngblood, CISO in Residence at Astrix Security and former CISO at McDonald's and T-Mobile, to discuss today's most pressing cybersecurity challenges. Don’t miss the chance to hear more from Timothy and other industry leaders—register for the summit today!
Q. Tell us about your background
A. I started my career as a developer and then transitioned from development into Local Area Network (LAN) and Wide Area Network (WAN) deployments, meaning I helped organizations ensure seamless communication between localized resources and geographically dispersed locations.
I advanced into leadership roles by delivering successful IT projects. This opened the door to joining a Big 4 consulting firm, where I led formal audit assessments, security reviews, and controls. Through this role I worked with 40 – 50 organizations per year and became very passionate about safeguarding organizations. After moving back into operations focused on security, I became the first Chief Information Security Officer (CISO) of Dell Inc. where my program won many industry awards. I was also on the Dell patent committee assessing new technology for the company.
Innovation has been at the forefront of my career as I took on CISO/CSO roles at Kimberly Clark Corporation, McDonald's and T-Mobile. To this day, I am extremely passionate about empowering organizations to safeguard their assets and drive sustainable growth.
Q. Your upcoming session in Diligent's 2025 cyber risk summit will cover emerging threats. How have the types of cyber risks shifted over the past few years, and what trends do you think will define the next decade in cybersecurity?
A. Interestingly, despite how technology has evolved, many of the same issues that plagued cybersecurity 10 years ago are still significant problems today. Think about the source of most data breaches today — there is still a lack of patching, poor passwords, and misconfigurations. Now enterprises have moved to the cloud, and we're still dealing with those same problems.
The difference is these risks are now intensified due to exposed generative AI large language models (LLMs), the emergence of non-human identities and vulnerable data models that leave organizations exposed to breaches or data corruption. In the future, these trends will persist and evolve with increasing automation, leading to more agent-based ecosystems that make decisions and choices traditionally made by humans.
Q. AI is both a powerful tool and a potential vulnerability in cybersecurity. How do you see AI transforming the threat landscape, and how can organizations leverage AI to strengthen their defenses?
A. At this stage artificial intelligence (AI) remains a passive tool in security, primarily serving as an assistant in research. There is great potential for it to be used as a more proactive tool, capable of self-healing vulnerabilities and exposures. Today, nearly every new security solution on the market has AI capabilities built into it, signaling the growing importance of AI in defense.
Tools that can autonomously defend themselves are becoming increasingly feasible. At the same time, attackers will also automate attacks via AI, so the future will depend on who can develop the best models. To safeguard tomorrow's networks, entirely new skill sets will be required.
Q. How might emerging cyber regulations shape the architecture and priorities of enterprise cybersecurity stacks in the future?
A. Regulation has always been a step behind technology, and I don't see that changing anytime soon or in the future. It takes a major event to move the industry to change, like the Enron scandal did for audit requirements. If significant targeted supply chain attacks continue to impact global economies, swift changes will follow. Until that time, regulation will be incremental at best and depend on the political parties in power at the time. In the meantime, companies must remain proactive in their cyber defense strategies, driven by investor expectations, risk management, and the need to protect their reputation and bottom line.
Q. How can companies cultivate a culture of security that empowers employees to be proactive in defending against cyber threats?
A. Security leaders are pushing for more effective approaches in security awareness training. While traditional models and phishing studies have shown limited success, there is growing recognition that moving toward persona-based education is key. By understanding how individuals perform their roles and integrating security into their daily tasks, security can become a more natural part of their workflow. Additionally, adapting to the current generation's preferred way of consuming information—such as short, engaging, bite-sized content—can make a lasting impact.
