Allen Westley, CISSP, explains how rapid IT and cybersecurity shifts in defense environments are redefining the roles of CISSP-certified professionals, making them essential to guide these organizations through the white heat of technology evolution.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
I grew up watching my mom punch holes in IBM cards with a rhythm only seasoned keypunch operators knew. Back then, the sound of technology wasn’t a soft startup chime or LLM prompt loading. It was the clack-clack of machinery feeding logic into mainframes. Decades later, I find myself in a different rhythm: guiding cybersecurity teams in the Defense Industrial Base (DIB) as we adapt to something no keypunch could have predicted. Agentic workflows are AI-powered tools and systems designed to operate with a degree of autonomy, completing tasks and making suggestions without constant human input.
It might sound like another Silicon Valley buzzword, but this one has legs. If you're a CISSP working in or around classified environments, the rapid advance of AI and related technologies will impact you.
CISSPs in the Defense Industrial Base
As CISSP-certified cybersecurity professionals, we have become cross-domain interpreters: translating policy into action, security controls into agile workflows. Now, we need to manage the integration of AI agents into team members. Not the fictional kind you might see in a sci-fi thriller, but real tools showing up quietly in continuous monitoring, authorization and accreditation, and daily operations: nudging, suggesting, sometimes doing.
The challenge is that most cybersecurity pros weren't trained for this. Our world was built on knowns:
- Risk Management Framework
- Enterprise Mission Assurance Support Service
- Joint Special Access Program Implementation Guide Policy
However, AI agents don’t necessarily follow the same playbook. They build new ones. We are often left to decide if we embrace it, monitor it or red team it.
Here’s the thing: agentic workflows aren’t waiting for your team to get comfortable. They're sliding into tools, task managers, security automation platforms, even documentation pipelines. Tools like Ask Sage, Splunk’s Agentic Radar and in-house copilots aren’t theoretical anymore. They’re drafting system security plans, generating plans of action and milestones, and whispering recommendations like the intern who never sleeps. While these agents don’t take coffee breaks or file complaints to HR, they do need governance. This is where we come in.
Think of us as bridge-builders. We understand confidentiality, integrity, availability; now we need to understand intent inference, prompt injections and model drift. Our teams look to us to vet these tools, guide adoption and, when needed, pump the brakes. And maybe – just maybe – to write the first Acceptable Use Policy for a ChatGPT-powered sysadmin.
Coaching Your Team Through the Shift
If you walk into your next team huddle and say, “We’re shifting to agentic workflows” you’ll probably lose the room before the words are out of your mouth. Having done this more than once now, I suggest that the trick is in the framing:
- Start With Outcomes – I strongly advise highlighting how agents reduce toil, not headcount
- Make it Safe – Reassure your team that oversight and human-in-the-loop (HITL) design will keep decision-making grounded
- Embrace the Awkward – Let your team play with these tools in sandboxes. Curiosity remains the best teacher
- Stay Hands-On – As a CISSP you must lead from the front. This means testing, stressing and finding the edges of these tools yourself
If this feels overwhelming, well, welcome to the frontlines. But here’s the good news: CISSPs are uniquely positioned for this shift. We already think in systems and we know how to balance compliance with creativity. Agentic workflows just add a new dimension to the puzzle.
My advice is not to wait for a policy memo to tell you how to integrate AI agents into your security stack; instead, be the one who writes the memo. The future isn’t coming. It’s already at the door.
And don’t forget you're still responsible for ensuring that nothing classified ends up hallucinated into a chatbot's next poem!
Allen Westley, CISSP, has 20 years of experience in information technology, academia, and cybersecurity leadership. He has held business, management, and technical roles, with responsibility for protecting sensitive data, leading security teams, and advancing compliance initiatives. His cybersecurity work spans defense contracting, secure enclave operations, policy shaping, and workforce development.
Disclaimer: The opinions and content creation expressed in this article are my own and do not reflect those of my employer. This content is intended for informational purposes only and is based on publicly available information.
