Episode 8

AI Is Moving Faster Than Enterprise Security Can React

Key Takeaways

• Agentic AI introduces machine-speed risks that traditional security processes cannot keep up with.

• Governance remains the most important foundational element for enterprise AI adoption.

• Every AI agent should have a clearly accountable human owner.

• The future of cybersecurity depends on prevention rather than reactive response.

• Strong security cultures are built through employee engagement and education.

• AI security challenges are accelerating faster than regulation can currently keep pace.

• Startup ecosystems and emerging technologies require long-term strategic thinking.

• Continuous networking and relationship building remain critical throughout a technology career.

Timothy’s Watershed Moment

One of Tim’s defining watershed moments came during his time at Dell when he helped establish the company’s first IT risk management department and eventually became Dell’s first Chief Information Security Officer.

That experience fundamentally changed how he viewed cybersecurity. Rather than treating security as simply a technical problem, he began focusing on how risk, controls, and governance directly impact business strategy and operational resilience.

Another major watershed moment came as he transitioned from enterprise operator into the startup and investment world. Through years of working closely with cybersecurity founders and venture capital firms, Tim developed a forward-looking perspective on where AI and enterprise security were heading long before agentic AI became a mainstream industry conversation.

That shift eventually led him to Onyx Security, where he now focuses on helping organizations manage the governance, visibility, and risks associated with AI agents operating at machine speed.

Full Transcript:

Declan Waters (00:04.642)

Hi everybody, I'm Declan Waters and welcome to The Watershed. Today I'm sitting down with Tim Youngblood. Tim has been Chief Information Security Officer at not one, but four Fortune 500 companies. He started off at Dell, where he was the first ever CISO, then Kimberly-Clark, McDonald's and T-Mobile. Thirty years in the hot seat.

He finally walked away from the operating roles in 2023, and now he's Chief Strategy Officer for Onyx Security. He's building, with his fantastic team, one of the most secure control planes for the agentic AI era. He sits on boards, he invests, and he also teaches. So really looking forward to this conversation and welcome to the podcast.

Tim (00:58.229)

Thank you, Declan. Pleasure to be here and good to have this opportunity to talk to you.

Declan Waters (01:00.782)

I'm looking forward to it too. And that is quite the resume. We've just met probably about six weeks or two months ago, fortuitously, and you were so generous with your time. We had a couple of really great conversations and I'm just so happy that you're on the podcast today with me.

Tim (01:23.209)

Yeah, it's interesting. I have a very strong philosophy that you should network and meet as many people as you can because you never know, the next person may change your life.

Declan Waters (01:36.182)

Yeah, absolutely. I love it. You never quite know. Well, it's great to have you here, Tim. I just want to start off by, before we get into AI and cybersecurity and all that good stuff, I want to take you back to the Commodore VIC-20, which according to my research is quite an important time in your life. So maybe you could just give our listeners a little bit of a walk down history lane for us.

Tim (02:03.337)

Yeah. Well, definitely the Commodore VIC-20 is a historic piece of tech if you ask me. Back in the late 80s, when the PC industry was really evolving and taking off and finally had computers in the home, at least at a point where people could afford them, there were a series of home PCs that had hit the market in department stores and online magazines.

I was fortunate enough to live close to department stores, but unfortunately not fortunate enough to own a computer or have the money to go buy any of these home computers back then. So I would actually ride my bike to local stores and play with computers that were in demo modes. I would take them out of demo modes and basically hack them and program them.

I taught myself basic programming and would sit there and make games until a store manager would come and kick me out and say, “What are you doing with my PC? I'm trying to sell these things.”

Eventually I did get enough money to afford one, and my first one was the Commodore VIC-20, which was the predecessor to the Commodore 64, which people remember more. But the VIC-20 had 5K RAM and you could get a 300 baud modem with it and a cassette player. That's what started my computer career and I learned all the things that eventually helped me throughout my career on that computer as a child.

Declan Waters (03:57.217)

Yeah. How old are we talking about here, Tim? When can you remember getting really interested in computers?

Tim (04:07.435)

Well, I would say I was close to 10. One of my really good friends, who was fortunate enough to get a computer, got the first IBM PC in our neighborhood. His father did. I was over at his house tinkering with that and just fell in love with the world you could create.

You could create anything you want. You weren't tied down into one game like you were with an Atari or some of the other gaming platforms back then. So I was at their house every afternoon just playing, making things up, creating music on it, enough to where his mother said, “Did we adopt you?”

Declan Waters (05:00.165)

And so I think you've also said publicly that cybersecurity didn't choose you. You chose computers and cybersecurity. When was the moment that you realized that?

Tim (05:17.375)

Yeah, it's interesting. I've always had an affinity for computers and then in the cyber realm, where I didn't necessarily realize it. As a child, I was fortunate enough to see this little movie called WarGames, which, if you remember that, was one of the first hacker movies that came out.

I was amazed that you could actually get into another computer and get it to do what you wanted it to do. That was just fascinating to me and the ways that you were able to get there and do it. Me being young and impressionable, I thought, “Hey, this looks like fun. I think I could do this.”

So even back then I was probably doing things I had no business trying to do, but learning along the way about how vulnerable computers can be. Back in those early days, it was about trying to get them to work, not about trying to secure them.

Although I didn't know it, I was understanding what controls were and how important they were in being able to protect an environment and reduce the damage of what could happen from someone who had malicious intent. So I was on that journey at that point.

Declan Waters (06:43.726)

And what a journey it's been, Tim. As I said in the introduction, you've been a CISO at so many impressive companies. Why don't we take a moment just to bring the audience up to speed on your career? You choose the starting point and then we can get up to Onyx, which I want to focus on as well.

Tim (07:09.727)

Yeah. I think it's appropriate to start off with one of the first big Fortune 100 companies I worked for, Dell Computers.

Prior to that, I had been in the professional services world and I worked for a few big professional service firms, KPMG being one of them. They really honed my skills in understanding structure controls, understanding how to do security risk assessments and audits around systems and things of that nature.

That part of my life was really important in development as I moved into the operational side with Dell. I came into Dell at a very confusing time with the company where they were trying to understand how to comply with all these new regulations coming out like PCI and Sarbanes-Oxley.

They had all of these audits being demanded by customers. Like now the SOC 2, but back then it was called a SAS 70.

It was an interesting time. I got in the middle of all that and I ran the global compliance program for Dell and got them out of a couple of sticky situations with their ability to meet regulators’ expectations as well as customer expectations.

That really led me down the road of risk management. I actually helped establish the company’s first IT risk management department. That was my moment in transitioning out of just trying to assess the defaults of tech and now really trying to understand how controls, tech, and security impact the business, the strategy, and the capability that we want to drive, and how we enable the business.

That was really the watershed moment for me and where my career went because eventually being able to drive risk around how we enable the business drove me into managing more of the security space.

At Dell, things were very organic at that point. I brought all of security under one umbrella and eventually I became Dell’s first Chief Information Security Officer.

We established a really core strategy that was the foundation of how we looked at risk. We weren't trying to make Dell a fortress, but rather ensure we reduced the likelihood of the things that could disrupt our most critical initiatives.

Things around factories, marketing campaigns at the wrong time, and acquisitions. When I was there, Dell first started doing major acquisitions. Michael decided he was going to buy capability versus build it, and he was acquiring four or five companies a year, which was brand new at that time to Dell.

Being able to establish security controls around these young startups we were acquiring and then integrate them into the bigger Dell environment was quite the challenge.

Declan Waters (11:10.798)

Yeah, that is quite the challenge. And then take us forward after that period of your career. Where did you go next?

Tim (11:22.963)

After getting Dell off the ground and establishing security as a core capability for the company, I got the opportunity to do it again.

I think it's a reflection of my entrepreneurial spirit. I like to build things. I like to create things that maybe weren’t there before.

I got another opportunity to do that with Kimberly-Clark Corporation. I moved over to Kimberly-Clark and became their first Chief Information Security Officer. They had never had one before.

For those who know Kimberly-Clark, the Huggies, Kleenex paper company that’s been around 150 years, they had been just fine not having someone in that type of leadership role.

But they were transitioning into driving more tech capability, both in the manufacturing space and direct-to-retail and online.

I was fortunate to come in at a time when the company was at a huge reflection point on how they would interface with customers.

With the help of the CEO at that time, we partnered on how to make Kimberly-Clark the most secure consumer product group company in the world.

I was fortunate to have the resources of some of the best marketing minds in the industry at that time, the people who did Huggies campaigns. I brought them onto my security team to help me get the message out to the rest of the company and engage employees.

It was fascinating to have those strategic minds who didn’t know anything about security but knew how to reach people.

Through that, we developed a platform around how to make Kimberly-Clark safe, but also how to make employees safe.

If an employee is safe, then the company has a good chance of being safe as well. That really resonated with the company.

We bought antivirus for the whole company so employees could take it home and secure their computers. We had some of the most viewed videos in the company, which was interesting because we got better views than the CEO one year.

It became an integrated part of the company and who we were. We were driving all this new capability but doing it in a responsible way.

That was my second big CISO job and I was really proud of how the team came from basically the bottom of the barrel all the way to one of the top teams in that industry.

Declan Waters (14:27.214)

Quite something. Listening to you speak, Tim, the through line that I'm getting is that you're continuing to break new ground, whether it's at Dell, Kimberly-Clark, McDonald's, T-Mobile, and now Onyx.

I wanted to touch on the present-day opportunity because you invested in Onyx around 18 months before you joined the company. You wrote a check before you signed your name on the door itself. What did you see that you loved so much that you wanted to come inside and help the company grow?

Tim (15:17.139)

As an angel investor, transitioning out of operational roles like being the CISO of McDonald's and T-Mobile, I reached a stage in my career where I wanted to interface with the industry in a different way.

I've always had that entrepreneurial spirit and had been working in the startup community for years. I think I was one of the first CISOs who started going to Israel regularly. I started traveling there back in 2015 and got to meet the startup ecosystem in cybersecurity because all the best cyber tech was coming from Israel.

I wanted to understand why that was and what they were doing differently.

I got connected with all those early VC groups like Cyberstarts, Wild Ventures, and Team8, and got to understand where they were trying to take companies.

They also allowed me to assess companies they were interested in investing in, as well as those already in their portfolio, and give feedback on how those products would actually work in an enterprise environment.

Through years of doing that, I learned quite a bit, which eventually led me toward becoming an angel investor.

Now I hear around a hundred pitches a year and invest in companies mostly in the cybersecurity space where I get a lot of deal flow from those same VC groups.

I saw a company in this space early on called Onyx that was trying to solve a problem in AI, but they weren't really sure what to call it.

When I heard the pitch, it was clear to me that this was the trajectory AI was heading toward. Back in 2023, generative AI had really started to hit the enterprise level and people were beginning to experiment with it.

There was concern starting to emerge around data exposure and the potential disruption from all these open-source solutions nobody had fully vetted yet.

Now we were moving into an era where AI wasn't just consuming information, it was acting on it. That's the point where Onyx focused its attention.

This acting capability is where the industry is going, and they created a platform to address that problem. Eventually this became known as agentic AI.

I was impressed with the vision of where they were at and thought they were a little early, but right on time for where the industry was heading.

Fast forward now to 2026 and it's one of the hottest and most talked-about topics in cybersecurity.

They created a solution that was purpose-built to address what we call the secure AI control plane, which is really about identifying where all your AI exists, determining the risk of that AI to your environment, and providing governance around it.

Additionally, the platform helps enable AI in your environment while also driving things like cost optimization.

It's a very exciting time right now.

Declan Waters (19:03.210)

I can see that and I can also see why you decided to join them, Tim. You had the pick of the bunch, I'm sure, so they're very lucky to have you. Obviously you saw something very early that a lot of others didn't see.

Tim (19:18.825)

I'm fortunate to have the background I have in entrepreneurship. I have a master's degree in that space, so I'm always trying to figure out where the puck is going, like Wayne Gretzky said.

Being with a startup at this early stage and helping them drive their strategy into the marketplace is really exciting because we're still at a point where people are being educated about this.

A lot of people still don't know what their role is when it comes to agentic AI and how their companies are really driving business outcomes with this type of technology.

It's great for me because I get to flex my education muscle and give people my perspective, not only on where I see established companies going, but also where I see startups trying to solve problems.

Declan Waters (20:22.094)

You've said publicly that a lot of the cybersecurity problems over the last 10 to 15 years have invariably been the same. Patching, passwords, misconfigurations, they've just moved to the cloud.

What's different now with agentic AI? Is it different?

Tim (20:46.315)

A lot of it is what I generally call old wine in new bottles.

You still need the same standard controls and defense in depth. That hasn't gone away.

But now we're at a stage, particularly with agentic AI, where it's about speed and the pace of what's happening.

When you had a human driving a process control, maybe they accidentally sent another customer's information out. That was one person doing that and maybe one complaint came through.

Now put an AI agent in that same scenario and it sends the same message 840 times before anyone notices.

That's a completely different type of problem.

It's a different type of exposure before you can even determine what's happened.

We're no longer at a stage where we can sit back and wait for the problem to occur and then go do the triage.

You have to figure out how to prevent the problem from happening in the first place.

Declan Waters (22:09.602)

You mentioned on LinkedIn recently that the Anthropic moment was very telling. What did you mean by that?

Tim (22:27.145)

For me, that was definitely a reflection moment for the industry.

We've always had the ability to rely on independent security researchers to identify vulnerabilities that companies missed, and then companies would have time to go address those issues.

I think back to malware outbreaks like NotPetya years ago.

At that time, I had established a vulnerability management program and we identified the Microsoft vulnerability at the center of that attack and treated it as an emergency patch situation.

We applied the patch before the outbreak spread.

When everyone else was going down, we were still operating with effectively zero impact.

Now that process has changed.

With what Anthropic has released, the assumption now is that you don't get that opportunity anymore.

You have to become Microsoft and figure it out ahead of time.

Again, it comes back to speed and how speed has changed the game.

How do you operate vulnerability management at machine speed instead of human speed?

That's the point where every large enterprise I talk to is taking a step back and trying to figure out how to deal with that reality.

Many organizations have been able to survive legacy issues because time was on their side.

Now they need to think more aggressively about rip-and-replace strategies because they won't have time to rely on compensating controls anymore.

Declan Waters (25:37.998)

What's your take on regulation?

Tim (25:58.368)

Europe is definitely ahead of us in this space when it comes to defining what responsible AI looks like.

In the US, we're still trying to understand how AI impacts not only companies but society overall.

I think regulators are still trying to figure out what good actually looks like.

You still have individual states trying to establish laws around privacy and data protection, which absolutely should continue.

But at the same time, many regulators don't necessarily have the skill sets yet to fully understand how AI impacts everything they've been working on for the last several years.

I haven't seen anything fully established yet, although we are starting to see public-private collaboration.

The NIST AI Risk Management Framework is a good starting point for defining what AI safety looks like.

But it's still very early.

I think another phase is coming, and unfortunately something bad probably has to happen before we get meaningful guardrails in place.

Declan Waters (27:59.215)

What advice would you give to a CISO listening to this podcast?

Tim (28:38.985)

I think it comes back to foundational things and governance is the most important one.

If you're an executive leader in a Fortune 100, Fortune 500, or even SMB company, you need to establish some form of governance around AI.

You need to understand what approved AI looks like for your company.

Once you understand that, you can start identifying what sits outside of that approval model.

Then you establish an intake process for how AI gets introduced into the company and define the business outcomes you actually want from AI.

Whether you're building your own large language model or using open-source tools to create agents, what matters are the outcomes.

We're still in an experimentation phase and experimentation introduces a lot of risk.

But governance helps define the outcomes the business actually wants, which then drives the capabilities you need to secure and enable AI.

Ownership is another huge part of it.

At Onyx, we strongly believe every AI agent should have a human owner.

There should always be accountability.

When something goes wrong, and eventually something will go wrong, somebody needs to be responsible.

If you haven't identified ownership, then you're simply tolerating the situation.

Declan Waters (31:29.070)

I follow you on LinkedIn and you're doing so many events every year. You sit on boards, invest, teach, and mentor.

From the outside looking in, this doesn't look anything like retirement.

Tim (32:11.155)

I'm having a ball. This is the spice of life.

For a long time, I was focused only on the problems of the company I worked for.

Now I'm unleashed into the broader industry and I feel like an advocate for making the industry better.

Sometimes that's teaching at the university level.

Sometimes it's mentoring CISOs and executives.

Sometimes it's helping startups solve problems that need to be solved.

Sometimes it's educating board members about AI.

I enjoy all of it and never get tired of it.

Declan Waters (33:12.792)

Take me back to the kid with the VIC-20 in Atlanta. What's the thing you know now that you wouldn't have believed back then?

Tim (33:51.402)

The connectedness of the world.

Back then, even with dial-up modems, you would connect into another system for a short period of time and then disconnect.

If you had told me back then that computers would eventually be connected to something called the internet 24/7 and never truly be offline again, I never would have believed it.

I remember dialing long-distance numbers I found in magazines like Byte Magazine just to connect to systems for a little while.

I also learned the hard way that it drove up the family phone bill, which my mother definitely reminded me about.

But it paid off in the long run because that's ultimately where I ended up.

Declan Waters (35:14.542)

Tim, thank you for sharing that.

I'm so pleased you're still incredibly active in the cybersecurity industry. Everyone loves you, you're incredibly well connected, and you have an important message to share with the community.

I wish you all the success with Onyx. You're building a very interesting company there and I can't wait to see how that develops.

Lastly, thank you so much for your time. Time is precious, but you've decided to spend 30 minutes with me and I really appreciate that.

Tim (36:06.464)

I appreciate it, Declan. It's always nice to go down memory lane and relive where we came from to appreciate where we're going.

Declan Waters (36:19.116)

Wise words to finish. Thank you very much indeed, Tim. Take care.