Cyber Frontlines: John Velisaris

In this edition of Cyber Frontlines, meet John Velisaris, Global Product Director for IBM Cybersecurity Services Cyber Threat Management. John is an Associate Partner at IBM Consulting, with a background leading IBM’s Security Intelligence and Operations Consulting (SIOC) group in North America. He brings deep expertise in cybersecurity strategy and threat management. Before coming to IBM, John had worked in a variety of industries, including healthcare, financial services, public sector, education and public accounting.

As part of my project management responsibilities for Cybersecurity Services, I’m constantly looking at the health of our services portfolio. I oversee the entire product lifecycle, from ideation and development to deployment and ultimately retirement. I consider the evolving threat landscape, emerging technologies and industry trends, regulatory requirements and customer needs to deliver secure, scalable and resilient solutions. Currently, I’m working on the expansion of our Digital Labor solution named ATOM, or the Autonomous Threat Operations Machine. ATOM orchestrates multiple AI agents to deliver improved outcomes for security operations. Rather than waiting to assist a cybersecurity professional, ATOM’s threat handling skills go into action when new alerts are detected, developing an investigation plan and forming the investigation tasks to be dispatched to individual AI agents within the agentic mesh. Most investigations are completed in under two minutes. This is truly an exciting time to be in security operations.

I started in security back in the 1990s when I was working for a dot-com company. I started as a hands-on practitioner but ultimately became responsible for the entire security program for the organization. After the dot-com bubble burst, I thought I had left security behind when I worked for one of the Big 4 public accounting firms. Then Sarbanes-Oxley (SOX) hit, and the firm called me to their headquarters to define the security thought leadership and methods for the IT General Controls (ITGC) portion of SOX.

Three things are top of mind. First, I absolutely love our clients and making them successful. Before I entered product management, I spent years working on major security projects for clients. Those experiences were extremely satisfying. Now, in a global role, I get to indirectly help clients all around the world by keeping our portfolio here at IBM relevant to being a high-value security partner to our clients. Secondly, the team of people that I work with are passionately like-minded in providing the best security services to our clients possible. Finally, now is a great time to be working in security because multi-agentic AI has the ability to be truly transformational for operational security. Historically, changes to cybersecurity have been incremental. As an industry, we rarely get to see something truly new. As we build autonomous AI capabilities, I see something that can be truly transformational. I see a future where we’ll wonder how we did security without AI.

AI assistants have limited benefit in security operations because you’re still dependent on a human working with that AI assistant. Autonomous AI and Digital Labor have the power to not only drive productivity and financial benefit, but increase security outcomes. Security operations center (SOC) teams have always been constrained by resource constraints. Digital Labor like ATOM allows SOC teams to deploy significantly more detection rules and advanced analytics by automating and reducing manual intervention in alert triage, investigation and response. As a result, security teams can deliver broader and deeper risk coverage, transforming alert handling into a strategic capability that protects the full enterprise attack surface.

This doesn’t exist. Even within cybersecurity, there are specializations and roles that have different resources and communities. Here’s what I do recommend, however: find the largest, most popular security conference in your area and go to that. Get out of your day-to-day bubble. Talk to every vendor. Talk to every attendee who is willing to talk to you (the mealtimes are great for this). Talk to speakers. Talk to panelists, from hands-on security operators to CISOs. If you want to take the pulse of where the industry is, what challenges are most common and what everyone is working on, a big conference gives you an unmatched resource to reach your own conclusions. You’ll be exhausted by the end, but you’ll get a year’s worth of understanding within a week’s worth of time.

Before going to any conference, ask what your goals are for that conference and whether the conference can help you achieve those goals. If you want a broad survey of cybersecurity, conferences like RSA Conference are great. If you want deep subject matter expertise on a specific vendor, attend their conference (and make sure you check virtual, free options first before attending an in-person conference). If you want a deep industry lens, identify an industry conference and find the security practitioners within the industry conference.

Understand your risk. While that’s simple to write, there are many layers and challenges to achieving that understanding, but when you do, the benefits are organization-wide. I bet you thought I was going to write zero trust, right? Or maybe implement frictionless security to drive adoption? Those are both good contenders, but risk wins.

I think early in a cybersecurity career, practitioners are focused on a tactical “how” problem, like:

• How do I achieve cloud security in the hyperscalers my organization uses?
• How do I configure this security tool?
• How can I drive more automation into the security program?
• How do I use AI to be more productive?

This focus on “how” is necessary because this knowledge will help you successfully do your job.  Make sure your knowledge of “why”, “what” and “who” expands, however, since as you move forward in your career, your responsibilities will most likely include those other questions. For example, why is cybersecurity a necessity for the organization? Look at the rationale and justification for the security program. What resources, scope and strategy are needed to implement an effective cybersecurity program? Who is accountable for cybersecurity, and does that differ depending on the role in the organization? The security team is not the only group accountable for security. The more exposure you get across not only “how”, but also “why”, “what” and “who” will help you be successful, whatever turn your cybersecurity career takes.

AI is by far the most consuming trend. Security practitioners have two jobs related to AI right now. First, the enterprise is adopting AI, and that adds a whole new layer of risk. As the evangelist and operator of security, we need to secure our enterprises as they adopt AI. Second, security teams need to adopt AI! AI is not going away, and if security teams don’t call out their needs and define their own AI adoption strategy, security will be left behind.