What AI Means for Your Security Team

My Journey From Spreadsheet to AI-Powered Security

I’ve been through more security audits than I can count. Both, conducting them and being on the receiving end. I’ve sat on the auditor’s side of the table, watching teams scramble to provide evidence for controls they claim to have. I’ve been on the auditee side too, working late nights to gather documentation, chasing system owners, and frantically updating tracking spreadsheets.I’ve been involved in a ton of security audits, both as the one doing the auditing and the one being audited. When I’m the auditor, I often see teams scramble to prove they actually have the security controls they say they do. And when I’m the one being audited, I’ve pulled plenty of all-nighters gathering documentation, chasing down system owners, and frantically trying to keep those tracking spreadsheets up to date.

It’s the same old story, no matter what side of the issue I’m looking at. And every time, I think to myself, “There’s gotta be a better way to do this.” And often, it doesn’t matter if you’re a startup or on your way to become a Fortune 500 company - the patterns are remarkably similar. So, I’ve come to a striking realization: everyone’s security program is broken to some extent. The scale might be different, but the core issues remain: manual processes, reactive approaches, and a constant feeling of playing catch-up.

If you’re reading this, you’ve probably experienced this yourself. Maybe you’re preparing for an audit right now, or perhaps you’re reviewing your vendors and feeling that familiar sense of uncertainty about their security posture. With that as a pretext, now let’s talk about how security platforms have evolved, and more importantly, how AI is finally helping us break this cycle.

We’ve All Lived Through The Spreadsheet Days (Many of Us Are Still There)

When I started in security, everything lived in spreadsheets. We had spreadsheets for risk assessments, spreadsheets for requirements tracking, spreadsheets that linked to other spreadsheets.

Here’s what my typical day looked like:

• Digging through email threads to find the “latest” version of a document
• Manually copying data between different tracking sheets
• Chasing people down for evidence and clarifications
• Hoping nobody had accidentally broken a formula in our master tracking sheet

We thought this was just how things had to be. “Security is complex,” we told ourselves. “Of course it requires a lot of manual work.” Looking back, we wasted so much time on tasks that could have been automated.

The First Wave: Better Than Spreadsheets (But Not By Much)

When the first GRC (Governance, Risk and Compliance) platforms arrived, they felt like a game-changer. Finally, we had a single place to store our documentation! These early platforms were basically digitized spreadsheets with some basic workflow capabilities, but at the time, they seemed revolutionary.

But here’s what we learned trying to use them: these platforms often created as many problems as they solved. Sure, everything was in one place, but:

• We still had to manually input everything
• The interfaces were clunky and unintuitive
• Getting data out for was a nightmare
• Nobody wanted to use them because they were too complicated

And in the worst case scenarios, you needed additional resources just to manage the new GRC tool - the very tool that was supposed to make us more efficient.

The Integration Age: A Step in the Right Direction

As security tools multiplied, GRC platforms evolved to become integration hubs. Instead of manually copying and linking data from our vulnerability scanner into our risk register, we could have it flow automatically.

But another hard truth we learned: integration doesn’t equal automation. Yes, the data was flowing automatically, but:

• We were drowning in false positives
• Alert fatigue was real and dangerous
• You still had to manually analyze everything
• The more you connected, the more complex everything became

I have watched teams (and I have done it myself) ignore critical alerts because they was buried among hundreds of false positives. The “integrations” had actually made us less secure by overwhelming us with noise.

The AI Revolution: What It Really Means for Your Team

This brings us to today. After dealing with these problems for years, I’m excited to see how AI is changing the way we handle security.

Empowering Your People, Not Replacing Them

One of the biggest realizations about AI is that it shouldn’t replace security (and other) professionals - it should empower them. I see this in action every day in PEAK DEFENCE, and in the companies we work with:

• Security analysts starting to have time to work on the strategic projects they were hired for, instead of spending 80% of their time going through outdated documentation or gathering evidence
• CISOs who could immediately answer board or important customer questions with confidence, instead of saying “I’ll get back to you” and then scrambling to pull data
• Tiny security teams that are able to handle compliance for three frameworks simultaneously, something they couldn’t have imagined previously

The real impact isn’t just efficiency - it’s giving teams of people the chance to do the work they’re passionate about and that delivers real value.

Transforming Processes That Were Built for the Pre-AI Era

The process challenges in security management is where I see some of the most dramatic improvements.

Making Your Technology Stack Work Smarter Together

But the real magic happens when AI enhances your entire technology stack. Rather than being just another tool, AI can make your existing security tools work smarter together:

• Continuous monitoring across all security systems
• Real-time risk assessment and prioritization
• Automated evidence collection and validation
• Predictive analytics for emerging threats
• Intelligent alert correlation and reduction

What makes this truly revolutionary is how these elements work together. The AI can identify patterns in vendor responses that suggest potential supply chain risks. Mapps how these risks impacted different parts of the organization. It prioritizes remediation activities by potential impact. The system creates targeted training for affected teams. The whole system continues learning from each interaction to improve.

Breaking the Cycle: How AI Is Changing the Game

After seeing these patterns repeat themselves countless times across dozens of organizations, I’m convinced that AI offers a fundamentally different approach to these challenges. The most promising AI applications I’ve seen in this space focus on:

Intelligent Analysis & Learning

Modern AI can understand context and nuance in ways traditional automation can’t. It spots inconsistencies, identifies potential risks, and continuously learns from each interaction.

For example, AI can detect when a vendor claims to have robust data encryption in one response but inadvertently reveals they’re not encrypting data at rest in another - connections that would be difficult for a human to catch manually across hundreds of questions.

Relationship Mapping

Security doesn’t stop at organizational boundaries. AI can map complex webs of relationships between vendors, systems, and data flows, helping you understand how a security issue with one vendor could impact your entire organization.

Predictive Capabilities

By analyzing patterns across thousands of data points, AI can identify potential issues before they become problems. It’s not just about finding current vulnerabilities - it’s about predicting where the next risk might emerge and helping you prepare for it.

What This Actually Means for You and Your Team

If you’re still using traditional GRC tools, you might be wondering what steps you should be taking now:

1. Start Where You Are

Don’t feel like you need to transform everything overnight. Begin by:

• Documenting your biggest pain points (e.g. evidence collection)
• Identifying which manual processes are eating up your time (e.g. vendor assessments)
• Looking for areas where you’re seeing frequent errors (e.g. risk assessments)
• Thinking about what your team could accomplish with the time you’d save

2. Think Beyond Basic Automation

The real gain isn’t in digitizing your current processes but transforming them:

• Don’t just automate data collection - use AI to analyze it
• Look for opportunities to predict issues, not just report on them
• Focus on outcomes (better security), not just efficiency
• Think about how AI can help you communicate security value to leadership

3. Build a Realistic Roadmap

Create a practical plan for evolution:

• Start with high-impact, low-risk processes
• Build confidence with small wins
• Measure and communicate the value of each step
• Let the results guide your next moves

AI isn’t magic - it’s just a powerful tool that, when applied correctly, can solve problems that we’ve been struggling with for decades. The real magic is in what your team can accomplish when they’re freed from the manual burden that’s been holding them back.

If anything in this article resonated with you, I’d love to hear about your experiences. What parts of your security program keep you up at night? Where do you feel like you’re stuck in manual processes that should be automated?

This isn’t just about technology - it’s about transforming how we approach security management, and work overall. And that conversation is just beginning.

Key Takeaways for Your Security Team

• AI transforms how security teams work, moving them from manual tasks to strategic work
• The real value isn’t just automation, it’s in prediction, analysis, and continuous learning
• Start small with high-impact, low-risk processes to demonstrate value
• Think beyond efficiency to how AI can improve your actual security outcomes
• It’s about empowering your team, not replacing them