March 26, 2026

Hemant Baidwan describes a pivotal moment in federal cybersecurity, where agencies are rethinking how they approach risk in an increasingly complex threat environment. He explains that one of the most significant changes during his time as Chief Information Security Officer at the Department of Homeland Security is the rapid rise of artificial intelligence. AI is not only helping defenders move faster and operate more efficiently, but it is also being used by adversaries to identify and exploit vulnerabilities. This dual use of AI is reshaping how organizations must think about protecting their systems and data.

Baidwan emphasizes that the traditional compliance-driven model of cybersecurity is no longer sufficient. Rather than focusing on checklists, documentation, and periodic audits, agencies must shift toward understanding and addressing real risk in real time. He notes that adversaries are not concerned with whether an organization has a plan on paper—they are looking for weaknesses they can exploit immediately. This reality requires a more operational, continuous approach to cybersecurity that prioritizes action over documentation.

A central part of this shift is the development of what Baidwan calls a Risk Operations Center, or ROC. While many organizations are familiar with Security Operations Centers (SOCs), which focus on alerts and incident response, the ROC is designed to provide a deeper understanding of enterprise-wide risk. Baidwan explains that a mature ROC continuously evaluates vulnerabilities, misconfigurations, and potential attack paths. It delivers meaningful, actionable insights that help organizations prioritize what to fix first and allocate resources effectively.

Visibility is a key capability within this model. Baidwan stresses that organizations need continuous insight into their environments—not weekly or monthly snapshots, but real-time awareness of where risks exist. This includes understanding how different vulnerabilities might be exploited in combination, rather than evaluating them in isolation. By identifying attack paths, agencies can better determine which issues pose the greatest threat and address them accordingly.

He also highlights the importance of integration between the ROC and the SOC. Security teams often face overwhelming volumes of alerts, many of which are false positives. This “alert fatigue” can make it difficult to identify genuine threats. By feeding prioritized, high-quality data from the ROC into the SOC, organizations can reduce noise and ensure that analysts focus on the most critical issues.

When Baidwan talks about “burning down risk,” he clarifies that the goal is not to eliminate risk entirely, but to reduce it to an acceptable level based on each organization’s risk tolerance. He acknowledges that complete elimination is not realistic, but continuous reduction is achievable with the right tools and processes in place.

Looking ahead, he points to the growing role of automation and AI-driven remediation. For example, AI can detect misconfigurations in cloud environments and either alert teams or automatically fix the issue before it can be exploited. This concept of “self-healing” infrastructure represents a future where systems can respond to threats faster than human operators alone.

Baidwan underscores that technology alone is not enough. Cultural change across the workforce is equally important. Agencies must align their people, processes, and tools around a shared understanding of risk. By doing so, they can stay ahead of increasingly sophisticated adversaries and build a more resilient cybersecurity posture.