The CISO’s Role in AI Is to Lead the Risk Conversation with Mustapha Kebbeh, Chief Security Officer at UKG

Show Notes

AI adoption is accelerating across the enterprise, often faster than governance and risk models were designed to support. Boards want innovation. Business leaders want speed. Security teams are expected to manage risk in environments where the technology itself is still evolving. 

In this episode of ClearTech Loop, Jo Peterson speaks with Mustapha Kebbeh, Chief Security Officer at UKG, about why the CISO’s role in AI is not to block innovation or own governance outright, but to lead the enterprise risk conversation that enables informed decision making. 

Mustapha shares how CISOs can help organizations understand what is being protected, why it matters, and what level of risk the organization is intentionally accepting as AI adoption accelerates. He also explains why effective AI governance depends on early involvement, clear guardrails, and shared ownership across the enterprise. 

👉 Subscribe to ClearTech Loop on LinkedIn:
https://www.linkedin.com/newsletters/7346174860760416256/ 

In This Episode, We Cover 

• Why AI does not create new risk, but accelerates existing risk 
• How the CISO role is evolving from control owner to risk leader 
• Why AI governance fails when security is brought in too late 
• The importance of early involvement and shared ownership 
• How governance enables informed decisions rather than documenting failure 

Key Quotes 

“Every cyber program is going to have risk.” 

“But the most important piece in my mind is what is it that you are protecting.” 

“The reason that’s really important is everything that touches data creates a risk management program.” 

“Am I investing in the right risk.” 

About the Guest 

Mustapha Kebbeh is Chief Security Officer at UKG, where he leads global cybersecurity strategy, enterprise risk management, and architecture supporting more than 75,000 employees worldwide. 

He has held senior security leadership roles at Brink’s, IBM, Vodafone, and CompuCom, and is known for building large-scale security programs that balance governance, resilience, and business growth. He also serves as a CISO Executive Governing Body Member and Co Chair with Evanta, a Gartner company. 

 

🎧 Listen above
▶ Watch on YouTube: https://youtu.be/XxA0Uw3xll0
📰 Subscribe to the ClearTech Loop Newsletter:
https://www.linkedin.com/newsletters/7346174860760416256/ 

Resources Mentioned 

Gartner: CISO FAQs on AI Governance and Cybersecurity Strategy
https://www.gartner.com/en/cybersecurity/cybersecurity-faqs 

Webinar Replay: Building Trust Through Enhanced Security Measures (UKG)
https://www.ukg.com/learn/resources/webinar-replay/building-trust-through-enhanced-security-measures 

ClearTech Loop: Simplifying Complexity in Modern Infrastructure with Dan DeBacker
https://www.buzzsprout.com/2248577/episodes/18455780

🎧 Listen: In Buzzsprout Player
▶ Watch on YouTube: https://www.youtube.com/@ClearTechResearch/playlist
📰 Subscribe to the Newsletter:
https://www.linkedin.com/newsletters/7346174860760416256/

Transcript

Jo Peterson: 0:07

Hey everyone, thanks so much for joining. You're here at Clear tech loop. We're on the move and in the know. I'm Jo Peterson. I'm the vice president of cloud security for clarify 360 and the chief analyst at cleartech research. And I'm here with Mustafa Kevin, my VP and Chief Security Officer for UKG, hi Mustafa.

Mustapha Kebbeh: 0:27

Hey Jo, how are you?

Jo Peterson: 0:28

I'm doing great. Thank you so much for taking time to visit. In case anyone is new to the podcast, we're a hot take approach to podcasting, and we're focused on cyber security, cloud security and AI security. And in each weekly episode, we ask our guests three focused questions to quickly educate our listeners about the security landscape, both from a risk and opportunity standpoint, and our soundbite approach is meant to act as an of the moment. Look at business and technical conversations that are happening right now in the C suite, in particular, in the CISOs, in the CISO space. So as I mentioned, Mustafa is the Vice President and Chief Security Officer of UKG, and he also serves as co chair of the CISO executive governing body of Avanta, a Gartner company. Mustafa has been in the industry for years, and he's had senior roles at companies like obviously UKG Brinks and CompuCom. Mustafa, how do you stay busy during the day? Please tell us.

Mustapha Kebbeh: 1:34

Jo, thank you, and by the way, it's a pleasure to be here. I think there's all this enough work to stay busy, right? Slot of things going on, the industry, it's moving. So you have, you have to adopt, you have to learn new things, and you also have to protect the business. So with all of that, plus life and kids and all of that stuff, you get really busy.

Jo Peterson: 2:01

Oh yeah, the kids will keep you busy, for sure. Not that your day job doesn't keep you busy enough. So let's just dig right into the three questions from a CISOs perspective, how should you be thinking about cyber risk in terms of dollars and business impact?

Mustapha Kebbeh: 2:18

Absolutely. And I think when you think about cyber risk into dollars and impact is it's every business would have a different way of really translating that. But the most important piece in my mind is, what is the value of the business staying up running, and then who are your customers, in terms of your your business value, from your customer view, you know availability of your systems as well as what you have, what are you protecting? The reason that's really important is everything that you do, from a security perspective, becomes a risk management program, investing in keeping up. Am I investing in the right the right risk? Every cyber program is going to have risk. Which one are you going to tackle first? How does that really play into the financial impact of the cost of your of your customers? Am I investing enough in an area where I think it has a higher risk, when you think about that, it translated into, you know, protecting the business to make sure that you're up for, you know, for the business to run, or minimizing any impact, so that you don't have to actually invest or put sick money in terms of recovery or in terms of related security issues, when you bring those two pieces together, you always have the capability to drive the right conversations with your leadership on if I make sure that there is no security issues, or I minimize the impact of security issues, I call it $1 losses if you dollar on $1 loss is not is $1 on if you're not losing any dollar, you're actually gaining $1 because you're staying where you are. So what you have to do at that point is making sure that you are driving the right right innovations, but also you're maintaining the right risk posture of your organization,

Jo Peterson: 4:22

and you make such a good point, because you have a very deep bench at UKG, but not every CISO is in the same position, meaning they might not have a Risk Officer. So what people sometimes forget is that the chief security officer is also the chief risk officer, and that person is looking out for overall corporate risk, things that are going to take down the business like, you know, why would you have your mission critical gear in a place that gets flooded? For example, you wouldn't and so that'd be a conversation that you'd have with one of your. Peers about moving the infrastructure elsewhere. So that's such a good point. And I think you kind of answered the second question layered in the first one. So good job on that. And what would be a podcast today if it didn't mention AI? So we got to talk about that. How should the CISO be thinking about AI adoption from two perspectives, in terms of its ability to secure emerging threats, because we're starting to see so many of the tools with the AI capabilities built in, and then also from an organizational governance perspective.

Mustapha Kebbeh: 5:34

So when I think about the AI tech, I think I love it. I think it's a great technology that is transforming everything that we do to transforming the organization. We see companies like Nvidia, like breaking, you know, everything that we know. The reason is this, this is going to transform our space. You know, whether we like it or not, so what we need to be able to do as really innovate within it, right? Look at the areas that is going to help you secure your infrastructure. For example, here at UKG, we really have been in the forefront of trying to use AI to really help us in the speed of detection, speed of response. And it's something that we've been trying to build within our sock for a period of time right now. And the idea is, drive the innovation. Find the time to really use some of that, really drive some of that innovation. So you're not on the tail end of the technology. So that's really the key factor, if you don't use AI. And you know, we hear this from industry, and someone who's going to use AI will replace you, and that that mentality, so you have to be able to use it, but also, if you don't use AI, you won't be able to learn how to actually protect it against all the types of attacks. So by implementing it, trying an error, trials and error allow you to understand how it really works and the speed it brings. Now with that comes the challenge of privacy, data security, as well as everything that it brings, like every other technology, brings some sort of a risk to your organization's AI, cloud infrastructure, but there's a risk versus reward conversation, and in my mind, the governance has to come back to how are you using this? What information is it touching? How are you? What is the security around it? What's the governance do you put into in your organization? So here we have a governance and ethics committee that drives how we leverage AI news. What's the security of the product, what can go to production? What can we what can we have in our playground, how internally we can use it? So combining those things together allows you to really start to think about the controls you put in place, the privacy and the regulations that you are going to adhere to to really drive innovation. People talk about speed, right? That's very, very important. Security tends to be one of the organization that tends to be in the middle of innovation and speed to deliver AI tech, but bringing those together, coming closer together, making sure that we understand what's happening. Forefront working with either if you're a software company or not, and a product teams and making sure you're part of that really drive, drive that. And when I think about AI, it's to me, from a security perspective, it's nothing more than thinking about supply chain security. It's another code running somehow you have to protect it the same way MCP, all the stuff comes into play where you put gateway security, or API security becomes now, okay, what am I doing for my MCP server? So you got to have to have some sort of a gateway to look at that, look at parameter injections and things like that. But when you go back to the data that AI is touching, you have more complexity. It's faster. There's more speed. So data security becomes a big, big, big, big part of what you do for AI security, as well as access to the data. So we are focusing heavily on those two aspects to drive the tactical control. But from a privacy and governance standpoint, it's a matter of bringing the right teams together, legal, the CIO, your group, the product team and engineering needs to be part of that conversation.

Jo Peterson: 9:24

And that's really, that's a really important point that you bring up, that everybody should be at the table, lending their voice and what's important to them. But I'm so glad that you brought up MCP, because really interested in, you know, that acting that MCP, acting as a proxy and securing MCP, right? And so, you know, use you see now we're OAuth 2.1, right? And we're, it's so much better than plain old API security. It's so much more secure. Are you? Seeing that, you know, the tokenization is going to be a great aspect, if folks are following with, with the Oh, with the OAuth protocol, and then also, sort of that mutual handshake, that security on both sides of the equation. What are your thoughts there?

Mustapha Kebbeh: 10:19

You know, I think these technologies allow the a lot of companies to move fast and speed and share information in a very faster way. But at the end of the day, the authentication is just one. And I think the next question is, what are they doing, right? What are the prompts? What other questions are they asking your MCP server to do. Where is it sitting into the organization? Is it integrated in the product? Is it some higher level then? And how do you take that information and test it, validate it right? So it becomes AI. Testing comes into play. Prompt injection testing comes into play. The traditional API gateway changes to now, okay, do I have MCP gateway? Because security needs to see what's happening, what's transmitting data leakage become, become right? So if you don't have it configured right, or downstream databases, or whatever you have spilling information that are not supposed to so all of this comes into play in my mind. So when I think about all of this, I think I use the traditional AppSec security controls and say, how do we innovate with the current technology that, with the with the newest technologies, like MCP would do and a to a and other protocols that that are coming out?

Jo Peterson: 11:38

Yeah, and you know, thank you for kind of answering that off the cuff, because it's a relatively new technology. Not everybody's had a chance to play with it yet, right? It's not been appropriate for them, or it's somewhere on their roadmap, but they just haven't played with it because it's, we're only talking, you know, six or seven months old here in terms of technology. So you know, you're ahead of the curve, probably as usual, and appreciate you getting some sharing some thoughts on that. Everyone. Thank you so much for taking the time to join today. Mustafa, thank you for your time, and we'll see you next time.

Mustapha Kebbeh: 12:13

Jo, thank you. Thank you. Love the podcast.