Connect with us

Interviews

Mark Nicholson, Deloitte US Cyber AI leader, Deloitte & Touche LLP – Interview Series

mm
Published

Mark Nicholson, a principal at Deloitte & Touche LLP, is Deloitte’s Cyber AI Leader. He previously served as Cyber’s Zero Trust leader, where he helped complex organizations more confidently leverage advanced technologies to build cyber risk programs that better align security investments with risk priorities, establish improved threat awareness and visibility, and helps them strengthen their ability to thrive in the face of cyber incidents.

Mark was actively involved in designing and building some of the first cybersecurity monitoring solutions for fraud detection and other forms of business loss prevention. He frequently briefs boards and executive committees on the topics of emerging cyber threats and the alignment of traditional risk management governance and cyber risk mitigation techniques.

How has your career shaped your perspective on cybersecurity and risk in the age of AI?

As an entrepreneur who co-founded a company in the early days of Security Information and Event Management, I’ve spent a lot of time focusing on the problem of data aggregation, analysis, and automation. I remember a time when analysts would print out hard copies of firewall logs in the morning to manually review in hopes of finding anomalies in network traffic. Despite tremendous advancement, a data analysis problem has persisted. AI promises to dramatically improve our ability to efficiently process and analyze security data. It will also help us execute faster remediation actions, but the stakes have never been higher. We are approaching an age when it will be more and more difficult for IT and cyber professionals (let alone laymen) to fully understand the inner workings of computer systems, and thus, it will be more difficult to understand when they have been compromised.

The work I do at Deloitte really boils down to trust. Can we trust that financial data is accurate? Can we trust that the IT controls are effective? Can a customer trust that their data will be held in confidence? The age of AI amplifies the imperative to be able to trust the integrity of systems.

Deloitte recently launched a broad set of Cyber AI blueprints and technology services designed to help businesses embed AI into the core of their cyber strategy. What specific gap or market failure were you seeing that made this launch urgent?

First, bad actors are already finding ways to leverage AI to gain advantage which hastens urgency. Second, there are many ambitious claims about how AI products can solve thorny problems, but it requires a lot of experimentation to discern fact from fiction. Finally, the eagerness of executives to realize AI value creates pressure for cybersecurity programs to mitigate risk without slowing down the business. Approximately 80% of organizations expect to increase their overall AI spending in the next fiscal year. Widespread AI transformation requires cyber leaders to reimagine how their organizations operate.

Deloitte’s Cyber AI blueprints and technology services help provide the clarity needed for leaders to transform their cyber operations for the AI era, allowing organizations to design, build and operate an AI-enabled cyber function that supports the ambitions of the business.

How do you advise enterprises to balance rapid AI deployment with the need to embed cybersecurity protocols from the ground up?

When it comes to rapid AI deployments, organizations need to have cybersecurity controls figured out going in. Just like good brakes enable a car to go faster, good cybersecurity should accelerate AI adoption. This requires clear governance frameworks, continuous monitoring throughout the deployment lifecycle, and cross-functional collaboration between AI and security teams.

By aligning these transformation efforts with security from the start, organizations can accelerate AI adoption while safeguarding critical assets and maintaining regulatory compliance.

Deloitte’s research shows that cybersecurity has often been an afterthought in AI rollouts. What are the consequences of this lag—and how can organizations course-correct?

Cybersecurity programs have historically been in a perennial game of catch up with technology transformation, often left behind inadvertently by IT. Sometimes, this is the result of a perception that involving security will hamper progress. Invariably, the lag creates impact downstream by introducing risk and in the case of some industries, regulatory scrutiny. Ironically, the lag can become more costly and time-consuming in the long run.

With AI, security is in a unique position to help the business move faster with confidence in its AI journey. Getting a proper strategy in place up front is critical, but the devil is really in the details. Frameworks provide a starting point. Deloitte’s blueprints get to the next level and help facilitate the crucial conversation about how the tech will work in reality as part of a complex system. That conversation goes deep fast.

Building cyber into each business function from the beginning makes a big difference in determining if the initiative will be successful or not. Tech transformation requires rigor. By making cybersecurity a foundational element, organizations can unlock the full value of AI while minimizing risk, helping to create systems that are secure, resilient, and compliant.

How do Deloitte’s blueprints help enterprises reframe cybersecurity as a value driver, rather than just a risk management function?

Deloitte’s Cyber AI blueprints reduce the need for lengthy and expensive experimentation. The blueprints help organizations accelerate the addition of a digital security workforce that drives a more efficient, user-friendly experience. By using these blueprints, enterprises can go beyond ad- hoc use case development and create a service architecture with AI that aligns the capabilities needed to deliver business outcomes with integrated governance.

What role do agentic AI systems play in modern cybersecurity transformation, and how is Deloitte incorporating them into its offerings?

Agentic AI has great potential across many applications in the security function, but it is still maturing. We have developed agents that support level 1 security operations and help realize the promise of Security Orchestration, Automation, and Response (SOAR) products that many organizations have struggled to implement. We have developed an autonomous penetration testing agent. We have created an agent that improves the efficiency of the Identity Governance and Administration (IGA) process. We have even started working on a pilot for an agent that performs controls effectiveness monitoring and might eventually be able to provide first draft regulatory exam response. Our bigger focus is how all of this works together. Ultimately, as agents proliferate exponentially, organizations need to have strong control over agent permissions. Also, to create real value, there needs to be a supervisory function that coordinates and governs the workloads and requests.

Deloitte offers Cyber AI blueprints and technology services to assist organizations accelerate their programs. Deloitte also offers GenAI and agentic solutions through its Zora AI™ product platform, which was architected for strong performance, security and scalability.

How do you approach building a cybersecurity aware workforce in an era when AI is automating more decision-making? What skills still matter most?

First, it’s important to note that the human workforce is the key to realizing value from AI. No one knows more about what goes into the work than the folks that are doing it every day. It’s essential that leaders enlist proven performers within their organizations to help establish a clear framework and guardrails for leveraging AI. In this stage, internal communication is critical as leaders must set the tone from the top, but engage stakeholders and workers early to ensure transparency and foster buy-in. Exposure and training can help demystify the technology and then foster a culture that views the transformation as helpful in making their jobs easier and/or helping them become more productive.

In your experience, which industry verticals are showing the most urgency—or resistance—toward AI-led transformations?

The pace of AI-led transformation varies widely from company to company and depends on business function. Most sectors are exploring the value AI would bring to their security program. In highly regulated industries, there is an added incentive to leverage AI for improved risk management (with vigilance in managing the risk that AI itself introduces). Financial Services and Tech firms are often ahead of the curve in tech adoption, but they are not alone in prioritizing AI initiatives. Many Life Sciences and Healthcare companies are aggressively developing AI programs. Regardless of sector, in some cases, there is a perception at the executive level that AI can power cost reduction and workforce transformation and this drives action.

There has been some scuttlebutt lately about mixed results in achieving business value from AI adoption, but I don’t believe this applies in the security context. It’s important to note that when looking at ROI with AI adoption across industries, those focused on cybersecurity are far more likely to be exceeding their ROI expectations, with 44% of cybersecurity initiatives delivering a ROI somewhat or significantly above expectations versus only 17% that are delivering an ROI somewhat or significantly below expectations.

What metrics or signals do you use to measure whether a client’s AI + cybersecurity transformation is actually delivering business value?

There are several factors that will determine how to measure the business outcome of this transformation – all dependent on an organization’s specific business, industry, threat landscape, needs, and maturity. Organizations can begin by conducting an AI readiness assessment to identify the opportunities that exist and the level of effort to achieve the desired ROI. In addition to this, Deloitte has created a Workforce Analyzer tool that helps an organization better understand the daily workloads borne by cyber personnel.

Looking five years ahead, how do you expect AI to reshape the cybersecurity landscape—both in terms of threat sophistication and how organizations defend themselves?

With the incredible pace of innovation, it’s difficult to project out 5 years. It’s safe to say that AI will continue to transform the cybersecurity landscape on both sides of the equation. We anticipate a surge in threat sophistication as adversaries leverage AI to automate attacks, evade detection, and exploit vulnerabilities at unprecedented speed and scale. We also expect that organizations will increasingly harness AI-driven tools to proactively identify risks, automate incident remediation, and adapt defenses dynamically while humans maintain stewardship “on the loop”.

It is self-evident that enterprises who invest in AI-powered security and foster a culture of continuous learning will likely be better equipped to protect assets, build resilience, and maintain trust than those that do not.

Thank you or the great interview, readers who wish to learn more should visit the Deloitte Cyber AI Blueprints and Technology Services page.

Related Topics:
mm

Antoine is a visionary leader and founding partner of Unite.AI, driven by an unwavering passion for shaping and promoting the future of AI and robotics. A serial entrepreneur, he believes that AI will be as disruptive to society as electricity, and is often caught raving about the potential of disruptive technologies and AGI.

As a futurist, he is dedicated to exploring how these innovations will shape our world. In addition, he is the founder of Securities.io, a platform focused on investing in cutting-edge technologies that are redefining the future and reshaping entire sectors.