From US Airforce to Director of Security

“The Duke CISO Certificate program recognizes that cybersecurity is not merely a technical problem but a business risk that demands a holistic, interdisciplinary response”

An executive learner in the Duke CISO Certificate Program, James Hengsterman-Cash is the Director of Security at Eightfold AI, where he established the first AI Security Center of Excellence. He started his cyber career inspired by his experience in the Air Force. In the past years, James spearheaded cybersecurity initiatives at U.S. Central Command (CENTCOM) and U.S. Cyber Command (CYBERCOM), and later, he collaborated with companies within the Department of Defense (DoD) and the U.S. Intelligence Community. For his efforts, he earned multiple Air Force Commendation Medals and the organizational Lt. Gen. Harold W. Grant Award

How have you learned about the Duke CISO certificate, and why have you applied?

I’m often looking for ways to supplement my knowledge gaps. I discovered the CISO certificate program through the Cyber Leadership Program's website, which I had unfortunately discovered too late last year. The alignment of this new program with the Cyber Leadership Program's already impressive objectives immediately caught my attention. There is an unfortunate and severe lack of structured and formal security leadership training, which is often left to informal, on-the-job experiences. That opportunity and the potential to cultivate a community of practice around security leadership with peers from around the world and across industries drove me to apply.

How does the Duke CISO Executive Program fit into the cyber landscape? What is the potential impact on the future of the cybersecurity profession?

In addition to providing the much-needed cybersecurity leadership training, the program differentiates itself with its highly interdisciplinary approach coupled with significant emphasis on learning from industry experts. The fact that it integrates insights from cybersecurity engineering, public policy, law, computer science, and industry experts provides a comprehensive understanding of the multifaceted nature of cybersecurity.

In my experience, the program carefully balances tactical guidance and strategic vision. We gain practical frameworks that we can apply to build and manage effective security programs. But as importantly, we develop the strategic acumen to anticipate and navigate the complex, rapidly evolving threat landscape. The program recognizes that cybersecurity is not merely a technical problem but a business risk that demands a holistic, interdisciplinary response.

How have you decided to become a Cyber professional, and why?

I worked for a military organization where cybersecurity was a key function. The people on the team, at the time called the “information assurance” team, were highly intelligent, motivated, and willing to teach me about a field I knew little about. Working with them, I first saw cybersecurity not as a support function but as essential to mission success. After that, I was hooked.

Being a cyber professional is not always easy; the days can be long and full of sudden and unexpected stressful events. Fortunately, it can also be incredibly rewarding. Our society is built on information, and safeguarding that information feels like a strategic game and a moral duty. You’re in a constant battle against unseen adversaries who desperately want you to fail. The evolving landscape of cyber threats requires constant vigilance and innovations and has made my career both intellectually stimulating and personally fulfilling.

What was more important to you for becoming who you are today?

I’ve always been surrounded by people who were better at some aspect of this job than I’ve been. Having someone to sharpen yourself against can make everyone involved that much better. I’m exceptionally fortunate to have a spouse who has been in the same field for as long as I have. We’ve had constant, usually friendly competition going on for over a decade, and it’s challenged us, driven us out of our comfort zones, and improved us immensely.

Name one thing you wished you knew when beginning your cyber career.

When I first embarked on my cybersecurity career, I entered an environment where the security team was often perceived as the 'department of no,' which significantly influenced early career interactions. This perspective initially led me to a rigid approach to security, focusing solely on risk minimization without considering the broader impact and operational goals. As I matured, I better understood the importance of aligning security strategies with the organization's objectives.

Briefly describe one important accomplishment in your cyber career or a highly impactful action that you took.

Unfortunately, I cannot publicly discuss some of my proudest achievements. Even then, my accomplishments were rarely just my own, and I’ve been supported by and worked with some genuinely incredible teams.

After starting my current position, I prioritized improving the relationships between the security team, internal stakeholders, and external customers. Regarding security, relations between the groups can be very strained. Fortunately, we almost always want a similar thing. We want the security of the system to be as exceptional as possible. It took more than a few calls, but getting everyone aligned on this was extremely helpful, and I feel that it helped build a great deal of trust and led directly to some of our customers getting what they needed to help their constituents in a very real way. That said, I’m hopeful that my most impactful decisions are yet to be made.

Can you name 1-2 significant challenges in cybersecurity today and how an executive program like this can help overcome them?

One of the most pressing challenges in cybersecurity today is managing the risk of third-party vendors. This already difficult problem has been compounded by the influx of vendors adding AI features that are not yet widely understood or well-regulated. As organizations increasingly rely on external partners for essential services, the risks associated with these relationships scale accordingly.

During this program, I’ve received very actionable guidance based on how others handle this problem. This guidance has come from the course's experts and from side conversations with peers. I’ve directly implemented several pieces of advice I received for our vendor risk management program, which has had seemingly positive effects. Networking opportunities within the program provide a platform for leaders to share experiences and solutions to common challenges. Collaboration with peers facing similar issues can lead to novel strategies and foster a community approach to cybersecurity challenges.

What was one important thing you have learned since you attended the program?

The insights from everyone in the program have been truly invaluable. One of the most valuable lessons I've learned from the program is the critical importance of effective cybersecurity metrics and reporting. In the day-to-day of security operations, it's easy to de-prioritize reporting in favor of urgent firefighting. I've been guilty of leaning on concrete, readily available metrics while deferring more complex measurements to quarterly or annual reviews. But as I've learned, this is a missed opportunity. The program provided practical frameworks for leveraging well-designed metrics to assess and improve our overall security posture continuously. By applying these insights to elevate our reporting practices, my team has found that additional effort yields dividends and drives our program forward.