Isaac Straley is the CISO of the J. Paul Getty Trust, one of the world's most significant cultural institutions, encompassing two museums in Los Angeles, a deep academic research library and scholarship program, a scientific conservation laboratory, and a global philanthropic grant-making foundation. Two months into his fourth CISO role, Isaac brings a career spent almost entirely in public sector and nonprofit organizations, including three prior stints as CISO at public research universities, to an institution that is increasingly a target in a sector that has historically underinvested in cybersecurity. He also holds responsibility for Getty's enterprise-wide AI strategy, making him one of the few guests this podcast has featured who is simultaneously building the offensive and defensive AI posture for the same organization.
Here’s a glimpse of what you’ll learn:
- Why museums, libraries, and cultural institutions are now active targets and how recent attacks on the Seattle Library, Toronto Library, and British Museum changed the conversation
- Why Isaac frames cybersecurity almost exclusively through an economics and business lens and what that means for how he prioritizes risk at Getty
- Why patch management is the encyclopedia of security strategy and what has to replace it in an era of machine-speed vulnerability discovery
- Why the NIST CSF 2.0's three response-oriented functions are more important than its two prevention-oriented ones and why the field has been signaling this for years
- How observability pipelines rather than prevention controls are the architecture that makes AI-age security actually work
- Why Isaac advises every aspiring security professional to go learn something else first and why that advice is more relevant in the AI era than it has ever been
- Why measuring a SOC analyst on how many threats they found is the wrong metric and what he is replacing it with
In this episode…
Isaac opens by making the case, with genuine conviction, that the J. Paul Getty Trust needs a CISO and not merely an IT security director. The argument is stronger than it initially sounds. Getty is not just a tourist destination hosting a million and a half visitors a year across two museums in Los Angeles. It runs a digital archive of another million and a half physical pieces being built into a publicly accessible, API-enabled collection. Its conservation institute does leading-edge materials science research on how to preserve degrading plastics, oils, and stone. Its foundation funds cultural heritage organizations globally and distributes open source software, including a heritage data management platform used for archaeological dig sites. And all of it sits in a sector that, as Isaac notes directly, has not had the investment and focus it needs, evidenced by recent ransomware attacks on the Seattle Public Library, the Toronto Public Library, and the British Museum. That context is what makes his framing of the threat so useful: he thinks about attacks almost exclusively from an economics standpoint. Attackers are running supply chains with HR departments. Their KPIs are not calibrated to spare hospitals or museums. The question is simply whether a vulnerability exists and whether it can be exploited, and the answer is almost always yes and yes.
The security architecture argument Isaac makes in this episode is the one that most challenges how the field has historically measured itself. Prevention and protection matter, he acknowledges, and there is a legal and ethical obligation to maintain basic hygiene. But NIST CSF 2.0 already signals where the weight should be: three of its five core functions are on the response side, detect, respond, and recover. The discipline has been pointing at this for years. What is new is that the AI age makes it structurally unavoidable. Organizations are no longer building controlled infrastructure with thoughtful design and hardened controls baked in. They are building platforms for people to create things nobody anticipated, and those platforms cannot be protected through prevention alone. What they can be protected through is observability, building trace data pipelines that capture what is happening across every system in real time, feeding that data to machine learning that understands what normal looks like, and escalating anomalies to a human before the damage compounds. Isaac is specific that this is not just a security strategy. It is a virtuous loop, because the same observability infrastructure that makes security possible also gives builders better feedback on whether their systems are working. Security and functionality, aligned by design rather than in opposition.
The talent and leadership section of this episode is where Isaac is most candid about what he has learned the hard way. His standard advice to students asking how to break into cybersecurity is to go learn something else first: a business process, a technology, where it breaks, what controls feel like from the inside. The cybersecurity skills can be taught. The business knowledge and architecture intuition cannot be shortcut. In the AI era, that advice becomes more urgent, not less, because the organizations that will use AI well are the ones whose people can ask good questions of it. The 85% of Microsoft employees who stopped using Copilot after 90 days went straight to demanding outputs without context. The 15% who became power users treated it the way you treat a new hire who needs to learn the job. Isaac extends that into a leadership obligation: if AI is going to do the routine rote work, then the measure of a SOC analyst's success should not be how many threats they found. It should be how much they improved the observability pipeline from what they learned. That shift in measurement is what allows organizations to ride the wave of AI capability rather than be made redundant by it.
Resources mentioned in this episode
CyberLynx Website
Isaac Straley on LinkedIn
J. Paul Getty Trust Website
Darktrace Website
Sentinel One Website
Sponsor for this episode...
This episode is brought to you by CyberLynx.com
CyberL-Y-N-X.com.
CyberLynx is a complete technology solution provider to ensure your business has the most reliable and professional IT service.
The bottom line is we help protect you from cyber attacks, malware attacks, and the dreaded Dark Web.
Our professional support includes managed IT services, IT help desk services, cybersecurity services, data backup and recovery, and VoIP services. Our reputable and experienced team, quick response time, and hassle-free process ensures that clients are 100% satisfied.
To learn more, visit cyberlynx.com, email us at help@cyberlynx.com, or give us a call at 202-996-6600.
Check out previous episodes:
No Longer Exploratory: Building AI Governance for K12 with Desmond Grant - Ep 223
Building the School of the Future in Kansas with Rob Dickson - Ep 222
From 45-Year Mainframe to AI Campus: Loyola's CIO on What Works with Alan Schomaker - Ep 221
Transcript:
Isaac Straley
CISO
Getty (J. Paul Getty Trust)
Matthew Connor: Matthew Connor here, host of the Cyber Business Podcast. Today we're joined by Isaac Straley, CISO at Getty. Isaac, welcome to the show.
Isaac Straley: It's a pleasure to be here. Thank you for having me.
Matthew Connor: It's a pleasure to have you. Before we get too far in, a quick word from our sponsors. Hackers are getting smarter — is your security keeping up? Cyberlynx sells industry-leading, AI-powered cybersecurity solutions that detect threats in real time, so you know about an attack before the damage is done, not after. Learn more at cyberlynx.com. And now back to our show.
Isaac, for those who aren't familiar, can you tell us about Getty and your role there as CISO?
Isaac Straley: It's actually a pretty interesting role. When most people think of Getty — officially the J. Paul Getty Trust — they think of the museums in Los Angeles. There are two: the Getty Center up in Brentwood, which is what most people picture, and the Getty Villa out in Pacific Palisades. But there's actually a lot more to it than the museums. I've been here about two and a half months now, and this is my fourth CISO role — but probably the most interesting one I've had.
Let me make the case for why Getty actually needs a CISO, not just an IT security director. From a cybersecurity and digital perspective, there are really four major programs here. First, it's a significant tourist destination — hosting around a million and a half visitors a year across both museums, a number that's only going to grow with the World Cup and Olympics coming to LA. That means ticketing, parking, retail, and global web interactions. Second, the Getty Research Institute has a deep academic library and scholarship program — roughly another million and a half archival pieces in physical form, a growing digital collection, and scholars visiting from around the world both physically and digitally. Third, the Getty Conservation Institute runs cutting-edge scientific research on material science — think preserving plastics that are literally degrading, conserving paints and oils, statues and stone, with specialized digital imaging labs doing the assessment work. And fourth, the Getty Foundation is a global philanthropic grant maker.
Beyond all that, we also deliver open-source software out to the sector. There's a program called ARCHES — a data management platform for heritage organizations, used for managing archaeological dig sites and similar contexts. We have a vocabulary and data scheme system that defines how you describe and talk about art. And there's a provenance database — think of provenance the way you'd think of identity in cybersecurity, except it's tracking the ownership, stewardship, and life cycle of art pieces. All of these are publicly accessible, API-enabled, and data-rich systems.
So when I think about my role, it's not just protecting a museum. It's protecting the infrastructure that supports global cultural heritage organizations, in a sector that honestly hasn't received the investment and attention it needs. We've seen recent attacks on the Seattle Public Library, the Toronto Public Library, and at the top of that list, the British Museum. This is a real threat landscape.
Matthew Connor: You've made a strong case. And I think it highlights something important — there are no safe corners anymore. You wouldn't normally list libraries and museums alongside financial institutions and hospitals as obvious attack targets. But everybody is a target now, whether directly because of who you are or simply because an automated process found a vulnerability and exploited it. And with agentic AI-powered attacks operating at machine speed, even a large, well-resourced organization struggles to keep pace. For an institution like Getty, how do you think about that?
Isaac Straley: I approach the attack side almost entirely from an economics and business perspective. There's a full supply chain behind the cybersecurity attack lifecycle now — organizations with HR departments running these operations. I doubt their KPIs include how many hospitals they chose not to hit. Especially with the speed at which AI and agentic tools operate, I don't think it's even a thoughtful targeting decision in many cases. The question is just: do you have vulnerabilities, can they be exploited? And the answer is always yes to both. So it's much more about understanding what the impact will be than trying to prevent every possible entry point.
For Getty specifically, our confidentiality concerns are moderate — we have about 1,400 employees plus a large volunteer and community base. But we have millions of web visitors a year, and even something as simple as our website being used as an attack vector against those visitors is deeply problematic, even if it doesn't harm us directly. Reputational damage to an organization like the Getty is a serious concern. And we're also protecting the privacy of our employees, scholars, and community. So I'm very focused on maintaining a consistent security posture across the full breadth of what we do, because in the AI world, as you said — there really are no safe corners.
Matthew Connor: And that's exactly why I get excited about products like Darktrace — not just bolting an LLM onto an existing security product and calling it AI-powered, but using machine learning the right way. Machine learning has been around forever, it just wasn't sexy until recently. But it is the unsung hero. As agentic attacks find vulnerabilities that have existed for decades, you can't patch your way to safety. Patch management is like printing an encyclopedia — by the time it's out, it's already outdated. What you need is something that understands what normal looks like, recognizes when something deviates from that, stops it, and calls for a human to take a look. I think that's the only viable path forward. What's your take?
Isaac Straley: I'm fundamentally aligned with that. On the preventative and protection side, there's basic hygiene — we have legal, ethical, and practical obligations to maintain that foundation. Most people in this field aren't in it for the compliance checkboxes; they're here because they care about the mission or just doing excellent work. So the protection and prevention pieces matter.
But I think the discipline of cybersecurity has been signaling something for a long time that we're only now getting the technology to actually act on: the real game is in detection, response, and recovery. If you look at the NIST Cybersecurity Framework in its purest form, three of the five functions are on the response side — detect, respond, recover. We've known this intellectually, but the technology and the business processes to actually execute it weren't there. That's changing now.
One wrinkle I find really interesting is that the AI age is also the age of builders. We're no longer going to design infrastructure with carefully designed controls baked in. We're going to build platforms that enable people to build things we couldn't have anticipated — how they'll work, where they'll run, or why. You can't control that entirely through prevention. What you do instead is build really strong observability pipelines — rich trace data that serves both the functionality of the systems and their security posture simultaneously. That's the virtuous loop: better data inventories, better log and trace data, collected because people want feedback on whether their systems are working. Security becomes embedded in the value people are already seeking, rather than a separate tax on the organization.
Matthew Connor: And that connects to something you mentioned — about how higher education and nonprofits aren't as different from commercial organizations as people think. Every organization has functions that need to be enabled, whether the goal is revenue or mission. IT is at the heart of all of it now, and it has to be a force multiplier. And I think AI is making that more achievable than ever for organizations that lean in. I have a daughter who's about to graduate in computer science, heading into cybersecurity, and she's actually a bit resistant to AI — she feels like she codes better herself. Which I found surprising. I didn't expect to have to fight that battle with her. But I think at every level, there are people on both sides of this, and the genie is absolutely not going back in the bottle.
Isaac Straley: There's a lot I want to say to that. I don't want to downplay the real risk of job displacement — this will be a turbulent transition. But I don't think it has to be doom and gloom. The skills needed to understand what good code looks like, to understand architecture and engineering, to ask good questions — those will remain invaluable. The problem-solving doesn't go away.
At the Getty, I've actually been given responsibility for AI strategy broadly — not just security AI, but the organizational-wide strategic framework. And what's interesting is that in an organization like ours, there's less urgency to move fast on AI, which actually gives us the luxury to sit back, observe what's happening, and have thoughtful, substantive internal conversations rather than just mandates from a governance committee. That debate — with its full emotional and intellectual range — is healthy. We're picking the areas where we can develop clear business value and where the use of AI doesn't challenge our core values. Defensive cybersecurity posture is one of those areas: it's clearly going to assist the people doing this work, it provides real organizational value, and it aligns well with what we stand for.
And on the talent side — I've been saying for years to students: if you want to get into cybersecurity, go learn something else first. Learn a business process, understand technology from the inside, figure out where it breaks, figure out why controls frustrate people. Then come to cybersecurity. The security skills can be taught. The business knowledge, the architecture knowledge, the engineering intuition — that's what you have to go earn. What I think AI now makes possible is freeing people who are stuck in rote, repetitive tier-one tasks, giving them better tools to handle those tasks, and creating pathways for them to grow. Tier-one help desk people are actually great candidates for SOC analyst roles. We just need the combination of better tooling and deliberate career path design to make that transition happen. And I think AI-assisted SOC environments — like what SentinelOne and CrowdStrike are building with AI-powered event analysis — make that transition more accessible than it's ever been. When an event is automatically broken down into plain-language explanation and actionable context, someone learning the space can actually keep pace and develop real understanding rather than drowning in raw log data.
Matthew Connor: A hundred percent. And I love how you think about success metrics shifting — not how many threats did you stop, but how have you improved your observability pipeline. That's a fundamentally different leadership lens than just counting blocks and incidents. And it connects to the Microsoft Copilot story, which I think is instructive here. When Microsoft deployed Copilot internally, they expected about 85% of staff to become power users. What they found after three months was the opposite — only 15% were still using it heavily. When they dug into why, the power users were the people applying human skills to the tool: treating it like a new employee, onboarding it, giving it clear context and expectations, managing it the way you'd manage a person. The 85% who dropped off treated it like a vending machine — asked it to do something, got an output they didn't love, and gave up. The lesson is that the future of AI is still heavily dependent on people skills. Leadership, communication, the ability to ask good questions and frame good problems. The tech-for-tech era is over. People skills are what drive outcomes now, and I think that's actually a genuinely good thing.
Isaac Straley: I love that framing. And I agree that we need to work for that future — it doesn't just arrive automatically. But the path I'd tie it to directly is exactly what you described: shifting the success criteria we set for people. For my SOC analysts, I don't want to measure success by how many events they caught. I want to measure it by how they've improved our observability pipeline based on what they've seen. That's a fundamentally different question and it cultivates a fundamentally different kind of thinking. The stewardship side — ROI, program costs, how many things we stopped — those conversations are necessary. But that's not leadership. Leadership is cultivating the right problems for your staff, setting them up to bring their best critical thinking, and making sure we're actually riding that wave of potential rather than just managing against risk.
Matthew Connor: Isaac, this has been an absolute blast. I've genuinely enjoyed this conversation. Before we go, can you tell everyone where they can find out more about you and Getty?
Isaac Straley: Sure. Getty's website is getty.edu — two museums in Los Angeles. One important note for visitors: the Getty Center is going to close for about a year starting next year to prepare for the Olympics and address long-overdue maintenance, including upgrading a 30-year-old tram system. So if you're planning to visit the Getty Center, do it now. If you're in LA during the closure period, the Getty Villa in Pacific Palisades will be open — it'll be the year of the Villa, so that's well worth the visit. For reaching me, I'm primarily on LinkedIn — come find me there if you want to continue the conversation.
Matthew Connor: Fantastic. Thanks again, Isaac. Until next time.
Isaac Straley: Thank you.