In previous Strategic CISOs sessions, I’ve spoken with security leaders from Andesite, IMO Health, and Cribl. They’ve built trusted programs where GRC functions as a business driver and customer assurance accelerates revenue.
But every CISO I speak with is still fighting some version of the same fight.
They have more obligations, more scrutiny, and more AI-related risk, but they do not have more people, more budget, or more hours in the day.
So when you are stretched thin, is it still possible to innovate?
Yes, but not by chasing every new AI tool. Strategic CISOs are using AI and automation to prioritize risk, reduce manual work, and prove assurance with the resources they already have.
CISOs are taking on more responsibility with fewer resources
CISOs are responsible for protecting critical systems and data, but most are underfunded and understaffed. AI adds further pressure: security threats, compliance obligations, data risks, and IP concerns. Leadership teams want to move quickly, but they also need to avoid unacceptable exposure.
Splunk’s 2026 CISO Report found that 96% of CISOs now oversee AI governance and risk across the enterprise. The same report says 41% of CISOs cannot correlate ROI to risk mitigation and remediation, making it harder to explain why the business should invest more in security.
CISOs need a better way to show business impact. They need to measure and communicate risks reduced, audits passed, costs avoided, revenue supported, and assurance improved.
Higher education shows why legacy GRC does not scale
Higher education is a useful lens because the pressure is especially acute.
University CISOs face broad obligations, complex stakeholder environments, and limited resources. In public institutions especially, security leaders may be responsible for risk without having direct authority over every part of the organization. Faculty, staff, departments, research groups, vendors, and administrative units all introduce risk, but they do not all report to the CISO.
Budgets are also under pressure. EDUCAUSE reported that 42% of higher education respondents anticipated IT budget decreases for the 2025–2026 academic year, with a median expected decrease of 8%.
The threat environment is not slowing down. Sophos’ 2025 ransomware research found that higher education providers were more likely to experience ransomware attacks through exploited vulnerabilities, cited in 35% of cases. 49% identified unknown security gaps as the most common organizational root cause.
More frantic GRC activity will not scale, it will only burn out the team.
The answer is to decide what matters most, automate where it makes sense, and build a security assurance model that can keep up with change.
Start with risk prioritization before scaling AI
CISOs working with limited resources need to ask:
- What are the most important risks to the institution?
- Which systems support critical services and operations?
- Which obligations are non-negotiable?
- Which gaps would create the most disruption if left unresolved?
This is especially important in higher education, where CISOs need to communicate risk in terms trustees, presidents, provosts, CFOs, and other leaders can understand. Not as a list of technical findings, but as a business conversation.
Automate repetitive security and compliance work before adding headcount
Once CISOs know which risks matter most, they can identify where automation will remove the most repetitive work.
For lean teams, the best place to start is not always the most complex workflow. It is the work that happens often, follows a repeatable pattern, and pulls the team away from higher-value decisions.
That might mean automating internal policy questions, streamlining incident intake, improving evidence collection, or connecting existing systems so analysts are not manually moving data from one place to another.
Strategic CISOs use automation to create leverage. They build workflows that help the team move faster without lowering confidence. In a resource-constrained environment, that can be the difference between staying reactive and building a mature program.
Use continuous control monitoring to prove assurance
The final step is using automation for assurance.
A lean team may be able to answer questions faster with AI. But the bigger opportunity is proving that the controls behind those answers are working. Continuous control monitoring changes the model.
Traditional GRC relies too heavily on point-in-time assessments, manual evidence collection, and workflow completion. But that does not always tell the CISO whether the organization is secure today.
True assurance requires a continuous, evidence-based model. Instead of waiting for the next audit or assessment cycle, CISOs need to know when a control drifts, a system changes, a dependency shifts, or a risk threshold is breached.
Continuous assurance helps lean teams scale without adding more manual work. They can monitor more systems, assess more controls, and produce more trusted reporting without asking humans to validate every data point by hand.
That is how resource-constrained security leaders build resilience and support growth.
Join us on June 18
This is exactly the topic for our next Strategic CISOs virtual conversation, What it really takes to lead security in higher education, on June 18 at 2 PM ET / 11 AM PT.
I’ll be joined by Matthew Martin, CISO at Western Carolina University. Matt spent more than 20 years in financial services before turning his attention to underserved markets and resource-constrained environments.
Matt will share how he is building a real security program within those constraints, and what it takes to create leverage with a limited budget. We’ll talk about the decisions, trade-offs, and practical lessons behind leading security in a higher-ed environment where everything has to be planned with intention.
If you are a security leader navigating the same pressures, this one’s for you.
