The demands on today’s CISOs are intensifying from every direction. Rapid advances in AI, newly discovered and exploited vulnerabilities, escalating geopolitical conflicts, aggressive enterprise tech adoption and the looming arrival of quantum computing are all reshaping the threat landscape in real time. Gary Brickhouse, CISO of cybersecurity firm GuidePoint Security, sees and hears about it all. I spoke with him about today’s real threat landscape—and what CIOs and CISOs aren’t paying attention to, but should be. An excerpt from our conversation is later in this newsletter.Until next time.This is the published version of Forbes’ CIO newsletter, which offers the latest news for chief innovation officers and other technology-focused leaders. Click here to get it delivered to your inbox every Thursday.Artificial IntelligencePope Leo XIV with Anthropic cofounder Chris Olah and Durham University professor Anna Rowlands after presenting "Magnifica Humanitas."Alberto PIZZOLI / AFP via Getty ImagesIn a world where policymakers are hesitant to regulate AI or limit its uses, Pope Leo XIV boldly declared that AI, left unchecked, “threatens to normalize an anti-human vision.” In his first encyclical, published this week, the pope said governments need to slow down and closely regulate AI development before it does any more damage to humanity—sowing conflict, concentrating power in the hands of a few powerful tech companies and eroding human dignity. The encyclical compares the AI economy to slavery and says it will create “second-class humans.” The pope warned that humanity faces a stark choice: either construct a new Tower of Babel—a reference to the Biblical story of humanity attempting to reach the heavens and rival the divine—or create a society in which God and humanity coexist. The encyclical’s title is “Magnifica Humanitas”—literally “Magnificent Humanity.” And the pope doubled down on his stance later in the week, warning that control of data and digital platforms should not be controlled by a small group of powerful actors—basically taking Silicon Valley to task against using technology to control humanity. Reaction to the encyclical has been mixed. Anthropic cofounder and head of research Chris Olah was in Vatican City when the pope released his encyclical this week to share concurring remarks. He said every AI lab operates under pressures that “can sometimes conflict with doing the right thing,” and called for more thoughtfulness about the potential impacts of AI on society—and for leaders to exercise discernment to guide tech companies as they move forward. AI skeptics rejoiced on social media, with some non-Catholics embracing the power of the pontiff for the first time, writes Forbes senior contributor Dani Di Placido. Anti-AI memes starring Leo have appeared throughout social media—with several referencing the Butlerian Jihad in the Dune novels, in which humanity revolted against “thinking machines.”The Trump Administration has had a more muted reaction. Vice President JD Vance, a Catholic, told NBC News the encyclical was “very profound,” but said he hadn’t read the whole thing yet. Interior Secretary Doug Burgum commented on the encyclical in a Fox Business interview, saying, “I didn’t know that tech editorializing was part of the role of being pope,” and that the construction of AI data centers is “positive for humanity.”Policy + RegulationsPresident Donald Trump took an active role in opposing AI regulation this past week. A week ago, he said he was about to sign an executive order requiring government review of AI models before they are released, but abruptly changed his mind. Last Thursday—the day he reportedly planned to sign the order and had hoped tech CEOs would join him in the White House for the ceremony—Trump said he “didn’t like certain aspects” of the order, and thought it “could have been a blocker.” Media reports last Friday indicated Trump was talked out of signing the order by tech executives, including Elon Musk, Mark Zuckerberg and former White House AI and crypto czar David Sacks. But not all tech execs are against government AI regulation. OpenAI reportedly supported the executive order and is pushing to get state-level regulations on the books, Semafor reports.Bits + BytesWhat CISOs Should Be Thinking About—But Aren’tGuidePoint Security CISO Gary Brickhouse.GuidePoint SecurityCybersecurity is always a minefield, but right now it’s full of uncertainty. AI is growing and developing every day, bringing solutions that may both boost productivity and pose a threat to an enterprise. The burgeoning tech landscape, excitement over the idea of automation, geopolitical strife and new power for bad actors make it a difficult time to be in the cybersecurity profession.Gary Brickhouse, CISO of cybersecurity firm GuidePoint Security, sees and hears it all. I spoke with him about what CISOs are worrying about—and what they really should be worried about. This conversation has been edited for length, clarity and continuity.What are some of the biggest concerns that CISOs are coming to you about?Brickhouse: There’s a couple big categories. One is visibility. We’re struggling really hard with keeping our arms around what is out there. If you go back to agentic AI, think about the rights of what those agents can do. There’s so much movement around AI implementation, I’m not sure we’re seeing all of it.That pivots into this growing attack surface area. I don’t know what I don’t know. Looking at AI development efforts, you think about vibe coding or citizen-development-type activity. We’re trying really hard—I can speak from my own organization’s perspective—to put the right guardrails in place. We’re trying to put the right controls within our development pipeline to make sure bad stuff isn’t happening. But again, it’s just more attack surface that’s out there.If you take AI off the table, the concern that we had six or eight months ago—which frankly is still a concern—is the sprawl of SaaS applications. We always joke that anybody in the business can go to a website, put in a credit card and boom: you have a SaaS application. That is data sprawl, and AI certainly is amplifying this. CISOs are struggling to get their arms around where all of their crown jewel data is. Even if they had it in one central area, now being accessed by a variety of AI agents, it’s harder to keep the inventory of where that data ultimately is going to live.The other thing that salts all of this is this is an unprecedented time in terms of organizational risk appetites. They’re at the highest they’ve ever been. Most of my conversations [with CIOs and CISOs], the CEO or an executive in the organization has already struck the direction: We’re moving AI. They’re getting pressure from the board, other executives and peers. And so they’re just like, ‘We don’t care. We’re going.’ From a CISO perspective, we have to enable the business to go really fast, but at the same time, we’re trying to implement enough guardrails to keep us from completely driving off the side of the cliff. We’re still okay with a fast approach here, but it’s been a little shocking to me how quickly they’re like, ‘Just throw AI out there, it’ll be great.’Is there anything that you are not hearing from CIOs and CISOs that you feel like you should?There’s two pieces that aren’t being talked enough about. One is that ‘back to the basics’ approach—that frankly should have never left. I don’t think it has; it’s gotten less attention. Think about the normal things: asset inventory, data management practices, vulnerability management, patching, log monitoring. These very basic things that in the event that threat actors are able to leverage AI—or internally bad things happen from an AI perspective—you’ve got that defense that is helping underpin and lower the risk, ultimately, for things that happen. They’re just not sexy to talk about, frankly. The board doesn’t want to hear about, ‘What basics are we doing?’ It’s, ‘How are we addressing this sort of emerging threat?’ The conversation that 100% isn’t happening enough is around resiliency. Cyber resiliency, I would say more holistically, but even the good old-fashioned business resiliency. My hot take here is I think we spend more money on prevention and not nearly enough on thinking through the resiliency and recovery aspect. Now that we’ve introduced agents that are ultimately able to act autonomously and do things that we may or may not approve of, we’re starting to see little pieces where this thing did something it wasn’t supposed to. I don’t feel like [CISOs and CIOs] are talking enough about the resilient aspect of not only from threat actor ransomware—how do we recover—but also in terms of our agentic use and AI in the environment. We’re trying to enable the business to do risky things, and to do it in a way that is as safe and secure as they can be. What advice would you give CIOs and CISOs?Get back to the basics, stay the course. It is what’s happening in the AI space, the things that are being talked about, the risks that are being presented. It’s not fear, uncertainty, and doubt. It’s not people saying the sky’s falling. When you look at permissions that an agent has and our ability to have an inventory of those agents, what permissions do they have and what functions do they operate in? Those are real problems and challenges that we have to solve.What does it look like to be a great communicator? If we can’t talk in terms of business outcomes that resonate with the business, we‘re not really going to get traction. Our role is to lead in this space, and our ability to lead and drive influence is commensurate to how well aligned we are with the business. I can stand over here and say, ‘We need to invest in this resiliency because our maturity number says we’re supposed to have resilience and it’s going to help us move from a three to a three-two.’ That isn’t going to resonate. What resonates is: ‘We just had a peer company that went through a ransomware event. It cost them $112 million. I’m trying to help protect our revenue stream.’ Comings + GoingsSpecialty insurer Arch Insurance North America promoted Imran Jalozie to its chief information officer role. Jalozie most recently worked as the company’s vice president of IT application development before becoming interim chief information officer in May 2025.E-commerce company Rokt appointed Sam Dozor as its next chief technology officer. Dozor previously worked as senior vice president of engineering at mParticle, which was acquired by Rokt in 2025.Energy infrastructure developer Giga Energy hired Angad Sandhu to be its new chief technology officer, effective May 21. Sandhu most recently worked as director of data center infrastructure at Google, and with Tesla prior to that.STRATEGIES + ADVICEThere’s so much talk about AI’s efficiency and how it will reduce people’s workload. While AI can do a lot, it may actually result in more work for humans. After all, humans still need to monitor and review AI’s output—especially when it has to do with important decisions—and ensure that all of its work product isn’t generic , incorrect or biased.As this newsletter demonstrates, you have a stressful job. To close out Mental Health Awareness Month, here are six exercises you can do at your desk to help reduce tension and clear your head for the next challenge.QUIZWhich tech company hit a $1 trillion valuation for the first time this week? A. MicronB. SK HynixC. KioxiaD. SeagateSee if you got the answer right here.