All articles
Security, Governance, & Risk

Atlassian CISO Positions AI-Native Practices As The New Standard For Secure Software Development

CIO News Desk
|
December 11, 2025

David Cross, CISO of Atlassian, on how enterprises are becoming AI-native by embedding security, governance, and human oversight into intelligent workflows.

Credit: Outlever
"Not every developer can specialize in security, privacy, or compliance, but AI can enforce those standards automatically. It can even repair legacy code long after the original developer has moved on, because it doesn't need prior familiarity to understand what's broken."
David Cross
CISO
Atlassian

Enterprises are moving past the novelty of simply using AI and into the far more challenging work of becoming truly AI-native. That shift, where the technology is no longer a bolt-on layer for productivity but a foundational element of how code is created, reviewed, and secured, raises new questions. How can enterprises effectively build security, compliance, and human oversight into workflows that now run on intelligent systems?

David Cross, CISO of Atlassian, has spent more than twenty years leading security at scale across companies like Google Cloud and Microsoft. His background spans cloud security, identity, and enterprise risk, a mix that gives him a sharp, practical view of how AI is reshaping software development. Cross sees the industry at a turning point, where humans and machines are beginning to trade roles in how code is created and secured.

"Humans used to write all the code while AI validated it. Now AI writes the code, fixes the vulnerabilities, and keeps it compliant, and humans step in as the final check," said Cross. The result is a transformation of security from a periodic, manual chore into a continuous, automated motion. The old model of a once-a-year pen test is giving way to a system that finds and fixes issues in real-time, while also evolving to counter modern threats like prompt injection. It’s what finally makes the long-held dream of "shifting left" a practical reality, tackling persistent issues like technical debt and brain drain by giving every developer an expert assistant.

  • Legacy lifesaver: "Not every developer can specialize in security, privacy, or compliance, but AI can enforce those standards automatically," Cross explained. "It can even repair legacy code long after the original developer has moved on, because it doesn't need prior familiarity to understand what's broken."

  • Hype check: But before companies can realize this vision, they have to confront a few inconvenient truths. A paradox has emerged where organizations are pouring massive investments into AI while struggling to see, let alone quantify, the returns. According to Cross, the problem often begins because leaders fail to start with a frank assessment of the business case. "You need to think about the value proposition and what you want to achieve," he said. "You have to realize that some of it will be experiments, and sometimes, using AI can actually be more costly than doing it manually."

Related stories

From Audits To Assurance: How Self-Healing Compliance-As-Code Is Redefining Federal Security

Without Data Standardization And Lineage Controls, AI Projects Could Sink In Regulated Industries

Beyond The 'Department Of No', CIOs And CISOs Plot A New Era Of Shared Success

Olympus Global CISO Reframes Cybersecurity As A Business Growth Function

UN AI for Good Leader Positions OODA Loop As Enterprise Blueprint For AI Discipline

Subscribe to our newsletter for free to get weekly updates from CIOnews sent right to your inbox.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
CIOnews by Workato  © 2025