Key Takeaways
- Bernice Russell‑Bond, North Carolina’s CISO, emphasizes asking “What problem are we trying to solve?” before acquiring any new cybersecurity tool.
- She advocates an annual review of existing tools to identify unused or friction‑causing capabilities and to hold vendors accountable as partners rather than mere suppliers.
- A disciplined, fiscally responsible approach ensures that investments align with risk reduction, user‑experience improvements, and authorized‑access goals.
- North Carolina is integrating AI into its security program by first mapping end‑to‑end processes, securing AI‑enabled tools by design, and collaborating with agency‑level CISOs and vendor partners.
- The state engages frontier‑model providers to explore vulnerability identification and automated response capabilities while maintaining a human‑in‑the‑loop safeguard.
- ROI analysis is central: AI and automation are pursued only where they deliver the greatest impact, avoiding unnecessary spend on low‑value lifts.
- Continuous education, governance, toolkits, baseline requirements, and monitoring are used to embed security into development lifecycles rather than bolting it on later.
Problem‑Driven Tool Selection
Bernice Russell‑Bond asks her team a single, guiding question whenever a new cybersecurity tool is considered: “What problem are we trying to solve?” Rather than diving into technology specs or vendor pitches, she insists that the team first articulate the specific short‑ and long‑term challenges the tool must address. This focus prevents the common pitfall of buying a solution for a perceived symptom without understanding the underlying issue, thereby ensuring that each acquisition directly supports the state’s security objectives.
Fiscal Responsibility and Impactful Investments
Russell‑Bond stresses that maintaining fiscal discipline is as important as selecting effective tools. By linking every purchase to a clearly defined problem, the state can evaluate whether the anticipated benefits justify the cost. She notes that many organizations purchase tools to “fix something” without assessing whether the solution will deliver meaningful risk reduction or operational improvement. A problem‑centric approach helps North Carolina avoid wasteful spending and concentrate resources on tools that deliver the highest impact.
Annual Tool Rationalization
Beyond adding new capabilities, Russell‑Bond regularly asks what tools the organization no longer needs or that create friction in the environment. She treats this review as an annual accountability exercise: evaluating whether each tool mitigates risk, enhances user experience, and supports authorized‑access goals. Tools that fail to meet these criteria are candidates for retirement or replacement, allowing the agency to streamline its cyber architecture and reduce unnecessary complexity.
Vendor Partnership and Accountability
The CISO distinguishes between vendors and partners, arguing that true partnerships involve ongoing dialogue about product roadmaps and how new features align with the state’s needs. Russell‑Bond holds vendors accountable by asking whether forthcoming additions will help reduce the organization’s footprint elsewhere or address existing gaps. This collaborative scrutiny ensures that North Carolina only adopts enhancements that genuinely improve its security posture rather than simply adding features for the sake of novelty.
Discovering Hidden Gems in the Cyber Inventory
During routine assessments, North Carolina uncovered several “little jewels”—existing tools and capabilities that had been activated but were not previously recognized as valuable. These unexpected assets helped fill cybersecurity gaps and even offset planned purchases. Russell‑Bond highlights that a thorough inventory review can reveal underutilized resources, enabling the state to maximize current investments before seeking new solutions.
AI Integration and Risk Posture Assessment
Artificial intelligence presents both opportunities and challenges for cybersecurity. Russell‑Bond explains that understanding the organization’s risk posture—considering data, users, and operational context—is the first step in determining what security measures AI‑enabled tools require. She advocates for a security‑by‑design mindset, ensuring that developers incorporate protections from the outset rather than attempting to retrofit security after deployment.
Educating Process Owners and Providing Governance
To embed security into applications, Russell‑Bond’s team offers guidance, consultation, toolkits, baseline requirements, and continuous monitoring to process owners across agencies. This support helps stakeholders understand how to build secure systems and maintain compliance over time. By fostering a culture where security is a shared responsibility, North Carolina aims to reduce gaps that arise when security is treated as an afterthought.
Collaboration with Frontier Model Providers
North Carolina is actively engaging with leading AI model developers to explore how cutting‑edge functionality can strengthen its security program. Discussions focus on whether these providers can help identify vulnerabilities, automate response workflows, or pinpoint areas where human oversight remains essential. Russell‑Bond stresses that as AI capabilities evolve rapidly, the state must continuously reassess where automation adds the most value while preserving critical human judgment.
Balancing Speed with Impact and ROI
Although AI technology advances quickly, Russell‑Bond cautions against chasing speed at the expense of effectiveness. She notes that some AI implementations offer limited return on investment and may not justify the additional operational lift. By returning to her core question—what problem are we solving—and conducting rigorous ROI analyses, North Carolina ensures that AI and automation are deployed only where they deliver substantial, measurable benefits to the state’s security posture. This deliberate approach allows the state to be impactful rather than merely first to market.

