Enterprise AI Team

Ending Alert Fatigue

November 13, 2025
Share this blog post

Fewer Alerts, Smarter Defense

For Steve Ward, the former Chief Information Security Officer at Home Depot, the frontline of cybersecurity has always been about adaptation. In a world where cloud environments and SaaS apps have expanded the digital attack surface three to four times, the tools and techniques of yesterday can no longer defend the enterprises of today.

As Ward puts it, "We weren't really done with what we were working on 10-15 years ago. It's not like we all stood up back in the day and said, ‘Okay, all of our data centers are protected.’ Now we're good to go." That explosion in digital infrastructure didn’t just complicate visibility; it overwhelmed traditional response models. At Home Depot, Ward faced a familiar yet urgent question: how do you manage skyrocketing risk without exponentially growing labor and costs?

Chasing False Alarms

Legacy security operations were built on log analysis and manual alert review, a framework that simply couldn’t keep pace with the complexity of modern enterprise systems. "I think we still have major labor waste within cyber," Ward emphasized. "That's the number one feedback that I get from folks: I spend too much money on labor to get this thing working as designed and as pitched."

One glaring inefficiency? The Security Operations Center (SOC) alert pipeline. "I've heard upwards of 90% of the alerts that come in are machine-to-machine," Ward said. "There are false positives. There are things that we kick to tier three... and it's just not something of interest."

The result: overburdened analysts, underwhelming speed to value, and ballooning costs. In Ward's view, the typical implementation timeline for enterprise cybersecurity software was emblematic of the problem. "I remember plugging things in [and] a year later we're like, ‘Oh, the project's over.’ That's a year of labor to get that thing to do what the original use cases were. I just think that's too long."

Redefining the Playbook

At Home Depot, Ward took an unconventional but increasingly necessary approach: integrating automation and light AI directly into the SOC workflow. The goal was simple: reclaim time, reallocate talent, and raise the bar on both effectiveness and morale.

"What I have already seen, even from the orchestration side with light AI... we're gonna see numbers upwards of 80% of the alerts that come in a traditional SOC organization are gonna go away," Ward explained. This wasn't about replacing people. It was about evolving roles. "It means we can retrain them or move them to other areas of focus that are gonna help us more on remediation, more on the response, more on red teaming, and trying to find things before someone else does."

The changes extended beyond alert management. Identity and access management, traditionally the most labor-intensive and expensive orgs in Ward's portfolio, also stood to benefit. "The amount of labor we put into that is incredible... I had to put too many bodies in there to manually do things around research. Things like that that I think AI takes out."

From Reaction to Prediction

While reducing alert fatigue was a crucial early win, Ward was most energized by AI’s potential to shift the security posture from reactive to proactive. Drawing from his experience in threat intel at JPMorgan, he reflected on the sheer inefficiency of manual investigations. "It can take weeks of analysts’ time to go investigate all the logs," Ward recalled, describing incidents where a team took three weeks to uncover a breach. "What's the opportunity for AI to figure that out in three seconds, rather than three weeks?"

Ward believes the next frontier is predictive modeling: using AI not just to detect breaches faster, but to foresee them. "Using AI to determine the predictability of an attack before it happens. That's on the horizon... you're gonna have enough data, enough attack scenarios, whether you're getting threat data that helps enrich it. I think you're gonna be able to really, in an automated way, run those scenarios and predict what could happen and what the chain of events are."

That shift, from triage to anticipation, carries profound cultural implications. "We're still very, very reactive," he noted. "To be proactive and energize these ops teams where they can get ahead of something and feel like they're getting wins, I think is incredible."

Time, Talent, and Transformation

Ward’s insights underscore a broader truth in enterprise security: it's not just about defending systems but about optimizing human capital. When AI can eliminate 80% of irrelevant alerts, automate routine access reviews, and spotlight breaches before they occur, it redefines what security teams are capable of achieving.

"This AI allows you to be an amazing attacker... you just need to have the motive," Ward warned, highlighting the stakes. But that same power, wielded responsibly, can tip the balance back in favor of defenders.

"You will not be able to identify and defend an AI attack with the last 20 years of solutions," Ward said bluntly. "You're just not. You're gonna have to use AI to defend against AI."

His experience offers a practical playbook for CIOs, CISOs, and tech executives staring down their own rising alert volumes, shrinking budgets, and escalating expectations. Start with your pain points. Automate the noise. Predict the signal. And above all, invest in empowering your people to win today’s battles, not yesterday’s.