AJ Debole is Field CISO at Oracle, but her journey began far from the corporate boardroom.

After starting out in law and government, she moved into healthcare and cyber defense, where she led teams through ransomware crises. 

In this spotlight, she explores the next wave of challenges – aligning security with business incentives, taming AI sprawl, and securing the APIs that connect it all. 

Early in her career, prior to working in cyber, AJ immersed herself in blockchain technology, found Ethereum, and became drawn to the idea of programmable money and smart contracts. This passion caught the attention of a mentor, who helped her land a role in the newly created cyber unit in the Massachusetts Army National Guard. Breaking into the corporate sphere, however, was no easy feat. 

“I was spraying and praying my resume. I was desperate to get anyone to read my resume and talk to me because I felt as though as I was a good interviewer,” she said.

Part of the problem, she believes, is that the people who are hiring for roles are rarely the same people who are writing job descriptions and crawling through resumes. 

“There’s a gap there,” she said. “When I was hiring, I wanted to look at the resumes. And I didn’t know what I was looking for, but if anyone looked interesting, I wanted to interview them, even if they weren’t perfect on paper and they didn’t have the right education or buzzwords.”

Looking ahead, AJ expects the CISO role to become “more business-y,” with more “MBA types.” She understands the logic behind this trajectory: translating business objectives and ensuring security programs align with them is becoming more important. 

However, she’s concerned that this focus will make people care more about business and compliance than substantive security – and organizations will suffer for it. 

“The problem is that substantive security requires more technology experience, more nuance, and even more importantly, one could argue, enough curiosity about that technology to actually know about it and care about it," she said. 

That said, she recognizes that needs differ between teams and organizations. Some organizations need a technical CISO, some don’t; but they all need technical expertise at some level of the hierarchy. 

“When I was working for the state, I was considered a technical deputy for my CISO, because he was less technical than I was,” she said. “But then when I became a CISO, I was  insecure about my technical ability, so I made sure to find someone with a deep technical background as my deputy.” 

Ultimately, AJ believes that some of the best CISOs are those that know about both the business and technical aspects of their organization. For her, these people know how to communicate with leadership, translate requirements, and ensure that the people reporting to them can direct their efforts for maximum impact, avoid burnout, and stick to a clear mission. 

On the topic of communicating with leadership, AJ believes that a tailored approach will always be the most effective. Each board, and every board member, is different, and CISOs must adjust their style accordingly. 

"One thing I’ve noticed is that conversations about engaging with boards are often framed as if all boards are the same, as if one approach works everywhere,” she said.

According to AJ, it’s important to remember that “each board member has had different experiences, they've been burned by different things, they've been rewarded from different achievements.” 

Understanding those perspectives helps tailor messaging and secure buy-in. “If you can connect with board members,” AJ argues, “you can effectively advocate for what you need, whether that’s resources or a particular type of program. You can’t get somebody to see your perspective if you don’t understand theirs.”

Aligning security initiatives is one of the single most important aspects of communicating with leaders. And, for AJ, everything begins with incentives. 

“At the end of the day, it all comes down to money. People are bonused off certain things. Organizations incentivise certain behaviors. The problem is that many organizations’ bonus structures are misaligned with what they’re trying to achieve, and security can’t fix that,” she said.

When incentives and goals do align, however, security priorities are clearer. 

“If you’re fortunate enough to be in an organization that has consciously built financial incentives around business goals, it should be easy to understand what people care about and focus on that,” AJ explained.

Historically, security focused on critical assets, protecting high-value applications first. But as AJ pointed out, attackers take a different view, diving down into applications to understand their architecture. That’s how they find shadow APIs or exploit broken object-level authentication. 

The solution, according to AJ, is to shift perspective. 

“It shouldn’t be just about assigning values to assets,” she said. “It needs to be more about understanding attack chains, how they apply to your architecture, and how you can detect and contain them once they start.” 

Success, she argued, requires partnering with engineering teams and looking at applications through a business logic lens. “That’s how you build stronger defenses.” 

Even the best CISO in the world will eventually face a data breach. How prepared they are is what separates the wheat from the chaff. 

AJ recalled one particularly “gnarly” ransomware attack that sticks in her memory: 

“It was healthcare, it was COVID, it was my first CISO role. You can imagine the stress of moving to remote work while also spinning up applications to support millions of people.” 

Fortunately, AJ had leaned on her military experience to prepare.

“We would run huge exercises with blue teams and red teams. At the end of the day, everyone would come together – defenders would explain what they were looking for, attackers would explain what they were doing. Seeing both sides helped us piece together what worked as defenders, what didn’t, and how we could identify and disrupt attacks more proficiently. Doing exercises like that over and over again enabled us to build the muscle memory to adapt under pressure.” 

When the ransomware incident hit, that preparation meant that her team could interrupt the attack and, ultimately, avoid making major news headlines. 

“Without it, we would have had a really bad time,” she said. 

However, AJ recognizes that not everyone can draw on military experience, so points to Purple Teaming as a practical alternative. 

“Everybody does their annual pen test, but after a few of those it almost feels like going through the motions. You’ve got to kick it up to the next level and say, ‘as this pen test is taking place, can my defense team spot it?’” AJ said. Put your defenders in a position where they can get meaningful practice in your environment using your tools and processes.

The benefits of this approach are twofold: organizations test tools under realistic conditions and train people to tell the difference between suspicious activity and normal business operations. 

In fact, AJ is so confident in this approach that she argues that compliance standards should incorporate it. 

“It would be nice if, every few years, organizations were required to do a red team-blue team exercise. If we have any chance at disrupting attacks and protecting the businesses we’re charged to protect, that’s the key ingredient,” she said.  

AJ is excited to see how AI tools and capabilities can be thoughtfully leveraged by businesses to grow but expressed concern about security risks based on how various tools are implemented, documented, and monitored. 

“I'd say a lot of businesses just want to use AI because they want to say they're using AI and that will make their shareholders happy, but they don't really care what they're doing or how they're doing it. And I think that is very dangerous,” she said. 

She sees AI for what it is: another tool in the toolbox, one that can accelerate business, help cut costs, and increase revenue. But she also argues that implementing thoughtlessly can be messy, undisciplined, and like anything else, difficult to understand, control, and defend. 

For AJ, aligning AI initiatives with business objectives and security strategies is critical. 

“If your AI initiatives aren’t aligned with business objectives, they won’t integrate into the business strategy, or the security strategy that should follow from it. Instead, they become a separate issue, lacking the context to understand the true importance of the data and the systems these agents interact with,” she said.  

That said, AJ has seen useful AI applications. 

“Some organizations are building AI-driven SOCs that use deep learning and data mining to identify attack patterns, escalate them to Tier 2 or 3 analysts, and then leverage an LLM to explain what’s happening along with possible response options. From there, AI agents can carry out those actions. I see that as really great,” she said. Many technologists also struggle with writing reports and documentation. That is another area where LLMs can lighten the load on our security teams and give them back time to focus on higher-impact activities.

AJ is clear-eyed on the enormous importance of API security – particularly as it relates to AI implementations. 

“APIs and AI agents are the connective tissue that lets business communicate, automate, and standardize process to work faster and more efficiently. The problem is they’re also far too easy to spin up, sometimes in large numbers, and often automatically by other programs,” she said.

AJ argued that this kind of sprawl can be difficult to understand and monitor, especially as architectures become more complex and intertwined. 

If something goes wrong in the chain, that can impact other aspects of architecture and unexpected dependencies, creating threats to confidentiality, integrity, and availability. 

So, what does AJ suggest organizations do to secure their APIs? For her, two things matter most: 

• Visibility: You must know what you have in order to defend it. 
• API Lifecycle: Define when and why APIs are created, how they are built, when you no longer need them, and how to ensure they are properly retired. 

Without that discipline, AJ warned, old connections may linger long enough for attackers to discover them. 

Want to find out more about how Wallarm’s approach aligns with AJ’s vision for API security?