EP 31 — Arbor Memorial's Teij Janki on why adding AI before fixing process amplifies weaknesses

Teij Janki, CISO & Director of IT Governance Risk & Compliance at Arbor Memorial, has spent 30 years moving through the full stack of security, and his view is that the sequencing most teams follow is backwards. His principle is that technology does not solve processes, it amplifies them. That means deploying a tool before fixing the underlying process weakness just scales the problem. The implication for AI adoption is direct and worth hearing spelled out.On the budget side, Teij makes a case that privacy legislation is a more reliable governance lever than cybersecurity risk alone because privacy laws carry consequences that executive teams will actually act on. He also walks through the gating sequence his team built for AI tool adoption wherein sensitive data gets slowed down and scrutinized, lower-sensitivity use cases move through faster, and staff have a service catalog to work from rather than a blanket ban. Topics discussed:Applying a people-process-technology sequence to security programs before introducing AI or automation toolingUsing privacy legislation as an executive governance lever when cybersecurity risk alone fails to drive budget decisionsBuilding a gating sequence for AI tool adoption that separates sensitive from low-sensitivity data use casesReplacing blanket AI bans with a structured service catalog that lets staff self-select and move tools through approvalIdentifying process weaknesses before deploying technology to avoid amplifying existing security vulnerabilities at scaleProgressing security from a technical cost center to a strategic business enabler using the CMMI maturity modelApplying martial arts principles of discipline, clear expectations, and target-setting to cybersecurity team leadershipEvaluating where generative AI delivers in security operations versus where magical thinking still outpaces real-world performance