In this candid conversation, Nikk Gilbert, Chief Information Security Officer at RWE, shares his perspective on zero risk myths, burnout, organizational pace, and why resilience is the real strategy. His answers are unfiltered and grounded in decades of frontline experience.

Q: Can a company ever really achieve zero risk if it spends enough?

“No company can achieve absolute zero risk — but what you can achieve is the confidence that when incidents happen, you’re prepared, tested, and ready to respond effectively. That is real strength, and that’s where investment truly pays off.”

Q: Burnout is a huge problem in your role. How do you avoid it?
“This role is demanding, but sustainability matters. I’ve learned that balance doesn’t mean counting hours — it means energy management. I aim for work-life harmony. When I’m at work, I’m fully engaged. When I disconnect, I recover. That rhythm keeps me sharp, and it means the company gets my best, consistently.”

Q: What should boards and executives really hear from a CISO?
“Boards deserve clarity. They need to know that cyber risk is not about perfection but preparation. Attackers will always try — what matters is that the company has the right plans, people, and response capability. With strong preparation, we keep the narrative under control: RWE is resilient, capable, and never caught off guard.”

Q: What about organizational speed?
“Every organization has its natural pace. The goal of a CISO is not to fight that, but to align with it and still move forward steadily. A battleship doesn’t turn quickly, but once it turns, it’s unstoppable. That’s the power of discipline and direction.”

Q: At the end of the day, how do you see your role?
“Cybersecurity is one part of a much larger machine. Our job is not to be the center of attention, but to quietly ensure resilience is built into the company’s DNA. When risk becomes reality, our role is to steady the ship and protect trust. That’s leadership in action, even if it’s behind the scenes.”

The post There’s No Such Thing as Zero Risk: A Conversation With Nikk Gilbert, RWE CISO appeared first on Security Current.

DISCLAIMER

The commentary is not intended to be taken as advice regarding any individual situation and should not be relied upon as such. Furthermore, all commentary is based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, accounting, tax, or legal advice, for which you should consult your own professional advisors.

Cyber risk and insurance advisor Gregory Eskins sat down with CISOs Connect for a wide-ranging discussion about cyber insurance and developments in the industry.

 

Personal liability is weighing on Chief Information Security Officers as the SEC becomes more aggressive in demanding individual accountability for corporate cybersecurity practices and disclosures. 

Be proactive, says Gregory Eskins, Global Cyber Product Leader and Head of the Global Cyber Insurance Center at New York-based insurance brokerage Marsh.

“There are avenues to ensure that CISOs are personally protected,” Eskins said. 

“A starting point is to look at their organization’s directors and officers policy, ensuring that the CISO is included as an Insured within the policy. There may also be an opportunity to secure a personal indemnity, often as a condition of hiring.”

Although cyber policies are entity-based, i.e. designed to primarily protect the organization that purchased the policy, the definition of insured is generally expansive and can include directors and officers, employees, and others. A CISO, as an employee of the organization, would thus generally fall within scope of coverage if there is a covered claim under the cyber policy, he added.

“If a CISO is concerned about their personal exposure or financial ruin, I suggest proactively speaking with legal and the risk team to explore avenues of protection,” Eskins said. “It is reasonable for a CISO to expect to be protected via their organization’s D&O and Cyber policies. To the extent there are gaps – such as CISOs working pro bono outside of their organization or as a contractual consultant, either of which can translate into professional liability exposure– the market is introducing products to fill those gaps.“

In addition, CISOs who are concerned about their physical safety can explore coverage designed to offer physical security stemming from kidnap and ransom.

CISOs have a strong voice when it comes to cyber insurance and they should actively utilize it, Eskins said.

“Because cyber insurance continues to evolve, we recommend that you engage, work with your broker, your insurer, express your perspectives in terms of what you think is working effectively, and especially things you are dissatisfied with,” he said.

“CISOs have gone from often being reluctant participants in the process of underwriting and procuring insurance to being advocates of balancing security investment and risk transfer. The CISO’s perspective is invaluable in helping us shape the market to design more effective coverage and generally understand what we can do better.”

When CISOs, especially those working in critical infrastructure, expressed concerns about the evolution of the war exclusion within cyber policies, including reservations around the scope of those exclusions and how they would be applied, that helped brokers advocate with regulators and insurers in formulating options for them, Eskins said. 

Dissatisfaction around the time it takes to resolve business interruption claims is another area where CISOs’ voices are heard, and solutions are being worked on, he said. 

Brokers and insurers are also experimenting with ways to reduce underwriting questions after CISOs clearly signaled their frustration about the number, types and overlapping questions, along with the lack of feedback regarding the market’s perspective of their organization’s risk, including how such information is being protected, Eskins said.

“There had been a wide array of potentially overwhelming and overlapping questions.  Over time, we gained a deeper understanding of the controls, processes, software and single points of failure that reduce or amplify risk,” he said. “Underwriters are not looking for the perfect risk, but rather strong signals indicating sound controls and hygiene practices, organizational governance and overall resilience.”

“That being said, change is constant,” Eskins added. “Now with generative AI, there are questions about how this technology changes risk, and how to underwrite and price exposure. Currently, we are in a period of calibration.”

Generative AI doesn’t fundamentally change things on the insurance front because there is not yet a new novel risk that emanates from the use of large language models, Eskins said. 

“Generative AI reflects an evolution that builds upon existing technology.  In comparison, the emergence of the internet ushered in a whole new set of digital exposures and risks. To date, generative AI has amplified existing risks and added nuances that impact underwriting and pricing considerations. If, over time, generative AI converges with other emerging technologies, we may see new categories of risk arise, and almost certainly, a post-quantum cryptographic world would look entirely different.”

Telemetry is another area where CISOs have been expressing their views. Some say they will never permit an insurer to even have read-only access to inside the firewall information, whether on premises or via hyperscalers. Others welcome providing a real-time view provided the incentives are concrete, such as premium discounts that reflect their positive security posture, Eskins said.  

“That type of feedback helps us build for the future,” he said.

At this point, telemetry is not something that insurers require, he said. In the short term, insurers will continue to experiment capturing telemetry data from those willing to share.  Ultimately, insurers will evaluate if the data has a meaningful impact on risk modelling, what actions positively and negatively impact cyber events, and how to accurately reflect the relative client and portfolio risks through premiums, he said.

“We’re still in the process of validating the hypothesis as to whether telemetry moves the needle in a meaningful way around the understanding of risk and the ability to model and price,” Eskins said.

“That said, we know it does not hurt. I do see this effort gaining momentum, especially as the adoption of cloud environments increases,” he said. “The hyperscalers all have strong security support mechanisms for which organizations can remediate vulnerabilities, update configurations to harden their environments, turn on new security tools, and benchmark themselves against any number of standards. Smaller, resource constrained organizations stand to benefit greatly from such support, and are generally more open to sharing that information in return for pricing reductions.” 

Eskins sees cyber insurance moving toward a greater degree of convergence specific to standardizing the less innovative components of a contract to create greater clarity, contract certainty, and consistency pertaining to what’s covered, where appropriate.

“There is fertile ground to improve existing products by reducing complexity relating to risk assessment, coverage and claims.  The near future may reflect an evolution rather than a revolution of thinking, with incremental changes being more impactful than the creation of niche products,” he said.

“An important evolution, to my mind, is about solving for the existing pain points, like the long time it takes to sort out business interruption claims, for example.”

For small and medium enterprises, it’s also making sure that the turnkey solutions that embed risk engineering and security services right into the product are understood and appreciated, Eskins said. 

“Cyber insurance can be a financial safety net that is subordinate to our brokers and insurers’ shared objective to help make organizations more secure and resilient,” he said. 

“It’s critical for them to get back to business quickly because their ability to withstand revenue disruptions typically is a lot less than a large organization, where it’s painful, yet not fatal.”

The post Expert Spotlight: Gregory Eskins, Marsh appeared first on Security Current.

Chief Information Security Officers should be thinking evergreen processes, not whack-a-mole, says Heather Gantt-Evans, CISO at financial services software provider Marqeta. 

“The biggest challenge for the CISO role is a willingness to define a strategy, define priorities and not let your team get distracted by every little thing that pops up,” Gantt-Evans said.  “You can tactically play whack-a-mole, or you can strategically create an evergreen process, system, framework to be able to not be in that place again.

“It’s a balance of making sure that you know if a really bad mole pops up, that you tactically address that promptly. But since you can’t do that for every little thing, you have to be able to stick to a strategy, articulate and align to your priorities, because implementing robust programs and controls takes time, and so you have to be committed and grounded in that journey.”

Gantt-Evans served in the U.S. Army Reserves as an all-source threat intelligence analyst, and supported Air Force Cyber Command as a contractor, focusing on cyber threat intelligence and integration of intelligence into security operations. On the corporate side, she consulted with Ernst & Young to develop Fortune 100 cybersecurity programs across multiple industries; was the CISO at identity security software provider SailPoint; and served in a deputy CISO capacity at the Home Depot. 

Gantt-Evans’ work with the military has led her to take a very threat-centric approach to how she seeks to communicate, understand and manage risk. In the military and at E&Y, “I also got used to the concept of operating like a SWAT team,” she said. 

“You’re read into new projects and new environments without a lot of context beforehand, and you have to manage through that ambiguity,” she said. “The adaptability to manage through ambiguity gives you a more grounded risk tolerance. You’re never going to know all of the facts, so being comfortable managing through that is key. “

In the course of her career, Gantt-Evans has gradually gone to smaller and smaller organizations, concluding that “I really value being able to reach people and put my arms around the environment.” 

“The ability to feel that sense of completion when you’ve rolled out a security control is very important to me and my integrity,” she said. “Sometimes when you’re in these super large organizations, it’s simply not possible to achieve that. And so that’s something I’ve sought out in my current role, the ability to ensure that I can put my arms fully around the people and the infrastructure.” 

One thing that’s top of her mind is exploring whether there are smarter ways to define operating models. 

“We have to rethink how we operate so we can present ourselves as a singular voice to the rest of the company on what needs to be remediated,” she said.  “Five or six years ago we were not talking about the same capabilities that we need in place. For example, now there are API security tools, there are attack surface management tools.

“And it’s not as clean of an operating model as it used to be, where maybe you had an endpoint team focused solely on endpoint agents, and a security operations team focused just on monitoring threats. Now we’re finding ourselves needing to have a lot more cohesion across services, a lot more cross training and redundancy in people. Teams’ mandates can overlap, so we can’t continue to operate in those silos that we used to have that were very clean cut.” 

Gantt-Evans envisions the CISO role possibly evolving to focus on all digital risk, which is more broad and nuanced than just information security, and could include things such as disaster recovery, she said. She also sees the role possibly evolving into more of a resiliency role, or a customer trust role. 

“I hope to see a future where there’s a lot more discussion about succession planning for your CISO, and how to elevate effective CISOs into some of those other broader branches within the organization,” she said. 

Gantt-Evans said it can feel like Groundhog Day when asked to identify trends in cybersecurity, “because the trend is that it’s always accelerating in terms of the technology and the tactics the adversaries are taking.” This last includes adversarial integration of AI to help more automatically discover and exploit vulnerabilities, and to make more compelling social engineering content.

She’s noticed that CISOs aren’t job-hopping as much as they used to, and welcomes that mutual commitment of security leaders and companies, given that cybersecurity transformations take six-plus years to do effectively, she said. 

“SolarWinds led the way by sticking behind their CISO during that event. I think it proved to the world that you don’t have to scapegoat your CISO to make it through a cataclysmic cyber event,” she said. 

“Second, CISOs have been around a little bit longer, and there’s greater understanding of what they do. Thirdly, some of the policy directives coming out of the SEC and other bodies really emphasize the importance of a strong security team and strong security talent at the board level. All of these things have culminated in less fear on the CISO’s part of needing to get out before something happens, and more commitment and understanding of cybersecurity risk and how to address it.”

 Companies might need different types of CISOs at different stages in their lifecycles, she said. A company that needs to push the engineering and development organizations to make change might need a CISO with a strong engineering and development background. Sometimes companies need a CISO who is more adept at speaking at the board and executive levels to inform and educate and reassure, she said. 

“It very much depends on the stage the company is at with regards to security culture and awareness, and the company culture itself,” she said.   

When CISOs are doing the hiring, Gantt-Evans thinks they need to be “a lot more creative in the non-traditional backgrounds that map really well to some security roles.”

“For example, I’ve had great success hiring teachers into security training and awareness leadership roles,” she said. “I’ve had great success hiring healthcare lab data scientists into vulnerability management roles. So I believe thinking through the competencies and what non-traditional backgrounds might exhibit those really strongly is a great way to add increased diversity in your team. And lastly, I would highlight that you can do so much with people who are passionate. Some of the best people I’ve worked with were self taught.” 

How she decompresses from her high-pressure job changes with the seasons of life, Gantt- Evans said. 

“Right now, I’m enjoying being very bored outside of work. I’ve been doing things to focus on slowing my nervous system down – red light therapy, meditation, enjoying stillness, watching my kids play,” she said. 

“But when I’m feeling in a more outgoing season of life, I really enjoy purchasing tickets to be entertained. I feel like in our virtual world, we do so much performing by nature of being on screen. And so I really enjoy going and having a comedian or a musician or a ballet troupe or a theater troupe perform. I find that so relaxing to be able to take a step back, go into somebody else’s artistic world and not have to perform.” 

 

The post CISO Spotlight: Heather Gantt-Evans, Marqeta Chief Information Security Officer appeared first on Security Current.

Many people are looking to break into cybersecurity, but without experience, it can be tough to get a foot in the door.

Arif Hameed, Chief Information Security Officer at C&R Software, advises looking into cyber-adjacent roles.

“My pathway started with software quality assurance, and that pivoted to IT audit, which was my springboard to cybersecurity,” Hameed said.

“Another path is through the help desk, which can get you into incident response. Or if you’re into quality assurance or software development, you can get into application security. A role as a site reliability engineer can lead to a position in cloud security. There are a lot of cybersecurity-adjacent roles that overlap and can pivot you into the cybersecurity role you want. Get yourself industry-recognized cyber certifications and in parallel try to build on your experiences.”

Serving business

Hameed’s current company develops software for credit risk management.

“Because we’re tied into banking customers, security is extremely important,” he said. “At the same time, we reached the conclusion that it’s not just a technologist role, but something that has to be in service of the business rather than in service of security per se.”

The transition from technologist to business enabler marks a major evolution in the CISO’s role as the job becomes more visible and elevated in an area of increasingly frequent and sophisticated breaches.

“You have to have the technical knowledge, but you have to understand along with the technology, what is the actual business risk?” said Hameed, who expects to see many more regulations as attacks mount, with a tighter push on security and privacy.

“As you move up the corporate ladder, the ability to communicate is vital. You need to avoid jargon, and business leaders don’t want to hear FUD – fear, uncertainty and doubt,” he said. “They want to be realistic. So you want to be a true risk manager. Look at the big picture of the war at hand and pick your battles. Win the war, not a few battles here and there. “

Evolving role

As the role of CISO evolves, Hameed sees many CISOs taking on the position of Chief Technology Officer, and others becoming Chief Privacy Officers.

“The role is evolving, but it depends on the organizational need,” he said. “What the CISO means for an organization that’s in technology is potentially very different from an organization that’s in health or finance or manufacturing.

Before joining C&R, Hameed was the inaugural CISO at Munich Re New Ventures and Senior Director of Client Cybersecurity at Equifax. Previously he held security roles at TD Bank, and worked in information technology audit and IT risk at Royal Bank of Canada (RBC).

Customer-focused

“I’m very much a customer-focused CISO dealing with external customers, so my experience in the financial services and managing external, internal and customer audits was invaluable,” he said.

“Customer trust is a big component. There is a lot of focus on third party risk. We’ve had a vendor that assists us with questionnaire responses, and we use another vendor for our Customer Trust portal. But it’s critical to create a process of making customer due diligence efficient, especially if you’re a CISO who is very customer facing.”

A good CISO has to be calm under pressure, Hameed said.

“Security is a very challenging field because it’s constantly changing,” he said. “You’re responsible for other people’s livelihoods. If there’s a major breach, you’re not just worried about your own head rolling, you’re also responsible for revenue implications for your company.

“Unfortunately, a number of people have been burned out and moved on to different roles, or even downgraded themselves. They still want to be in cybersecurity, but they don’t want to take that responsibility.”

Time off

Hameed encourages people on his team to take time off as needed, and ensures that he does at least semi-monthly in-person meetings, as well as team lunches.

“I want to have an informal and collaborative environment,” Hameed said. “I’m approachable. If anyone wants to speak to me, it doesn’t matter if you’re not my direct report. Culture is important.”

To relieve the immense pressure that comes with the job, Hameed walks and has recently taken up squash and pickleball.

“I get a lot more out of it than doing the treadmill or some other exercise, and it’s fun,” he said.

The post CISO Spotlight: Arif Hameed, C&R Software Chief Information Security Officer appeared first on Security Current.

CISOs want to be on boards. Veteran tech executive Roosevelt Giles wants to help them get there.

Four years ago, Giles founded a program aimed at helping C-suite executives and senior leaders— including Chief Information Security Officers—secure board appointments, positioning them as key contributors to organizational growth and strategic direction.

“I use an analogy that the board represents the Supreme Court of stakeholder capitalism,” said Giles, the Chairman of Endpoint Ventures and President of Stakeholder Impact Foundation, Inc.

“Just like a Supreme Court ruling is the law of the land, so is a board ruling the law of the land on strategic issues in that company. The board hires the CEO, and it is the board that gives the CEO the level of authority. So that’s why I say the board is the epicenter of an organization.”

For a CISO, sitting on a private, small cap, midcap or Fortune 500 board offers a potent combination of prestige and remuneration – anywhere from $100,000 to $400,000 per appointment, Giles said. But to be an effective board member, it’s essential to have a servant leader mindset, and the ability to walk away, he added.

“On that board, you also are the voice of the voiceless,” he said. “All of those suppliers, community non-profits, company employees who are out there showing up to work every day and making $10 to $15 an hour depend on you to make the right decision. You can’t take that responsibility lightly. If you’re doing it for the money, you won’t last.”

What makes someone attractive as a board member is being a cultural fit, strategic, insightful, and with a diversity of experiences, Giles said. But while CISOs must understand the impact of technology and how breaches would impact the business, “they do not have to be a genius on financials to sit on a board,” he said.

CISOs need to scan the horizons to see what boards they would like to sit on where they could add the most value, Giles said.

“Don’t outsource this responsibility—take charge of it yourself,” he said. “Conduct the analysis and identify the companies that can benefit from what you bring to the table that they need by enhancing their total shareholder returns and earnings per share.”

Giles is the son of a sharecropper whose parents believed in the power of education. With dual degrees in computer science and business administration, he has built and run technology companies for some 40 years.

When he was fresh out of college, working as a programmer, a mentor took a liking to him and arranged that he sit in on board meetings.

“There I witnessed the power and the influence of the people who sit around the table and how they interact with management, along with the impact on all stakeholders,” he said.

After growing and building companies himself, Giles has been asked to sit on multiple boards, beginning at age 31 – then about half the average age of other board members.

“It changed my life,” he said. “I went on to other boards, because once you get on one board, that gets telegraphed.

“It is much more difficult to get the interview than it is to get that first board seat. But once you get that first board seat, you’re in the club, and the majority of new board seats come from the club before they go outside the club.”

The 4 ½-month Board of Directors Program he founded teaches C-level executives and two levels below the technical and governance aspects of sitting on a publicly traded or private board, as well as the nuances.

The tuition-free program has trained about 140 fellows so far; 17 have gone on to get board seats. More recently, it has been working to accelerate results by asking companies to add an advisory slot to their boards for program fellows, who would fill the skill sets deficit that the boards currently have while getting board experience and building a board brand.

In today’s economy, the value of a company is intangible assets—brand reputation, intellectual property, and innovation—which are more valuable than physical assets. Boards that cultivate diverse perspectives, industry expertise, and strategic foresight are better equipped to anticipate risks, seize opportunities, and drive sustainable growth.

“The value of a company today is based around what sits on technology,” Giles said. “Therefore, for the company to thrive and live in perpetuity, you have to have those individuals who understand the transformational impact of technology on the business. That’s why technology professionals are starting to be in demand.”

The average age of board members has dropped, sometimes significantly. If, when Giles was first invited to join a board, he was a youthful anomaly, today boards are increasingly bringing on younger members – some in their twenties — because they’re digital natives, and the customer base of the company, he said.

Historically, boards were made up of CEOs, CFOs and COOs. But that paradigm is also changing, he said.

“In today’s business landscape, 80 % of the value of a S&P 500 company doesn’t sit on its

balance sheet its intangible assets such as (Brand, patents, IP, workforce etc.) Today, there is so much risk to a company because of technology and change,” he said. “So having individuals who understand the impact of technology, the value of technology, and how technology is a driver of earnings per share and total shareholder returns – that is what is starting to fuel the shift.”

The other piece is the Security and Exchange Commission’s rules on cybersecurity, Giles said.

“In the past, boards put technology skills in the specialized skill set bucket and didn’t view technology skill directors as culturally relevant, but that has changed,” he said. “They see how AI’s transformative potential and cyber risk will put the company’s reputation on steroids. They understand that the board composition has to both change and expand to implement this degree of fiduciary oversight.”

Board opportunities with private companies are more plentiful because the number of public companies is limited, he said. “But I would not focus on a private board versus a public one. I would go for both of them,” he said.

When looking at a possible board seat, CISOs shouldn’t rush into a commitment, Giles said.

“Sometimes because they’re so anxious to get on a board, candidates make the mistake of taking the first one to come along. That’s a bad idea. You’re talking about a 10-year commitment on average, so you have to be sure that you want to be in a relationship with those individuals sitting around the table for 10 years.”

When interviewing for a board seat, candidates ought to meet individually with each board member to get a sense as to whether the placement would be a good fit, he advised.

Board members will need to devote about 400 hours a year to their board duties, and crises that erupt can take them away from their day jobs, he said. Candidates must therefore get their employer’s permission to accept a board offer, Giles said.

To deal with competing claims on their attention, CISOs need to do tabletop exercises at their enterprises, be aware of developments in their own industry and have processes and oversight in place, he added.

To shield themselves from possible liability suits, prospective board members should get a copy of the company’s D&O insurance policy and consult with their personal lawyers to determine what sort of protections they would have, Giles said.

“Most people do not do that. They have no idea what exposure they may have from a personal perspective,” he said.

A top question boards will ask prospective candidates is how would your skills add value to our board of directors, Giles said. Another is, when was the last time you had to stand alone?

“You might have an issue where all the other board members say yes, and you say no, because the board’s fiduciary duty is individual, not collective,” he said.

A top question a candidate should ask the board is what does it see as emerging trends in the relevant industry or sector that technology can address, he said. Candidates should also ask whether the board has a speak-up culture, he added.

“Do your board members have direct access to major shareholders? Are they allowed to sit in on operational meetings in a listening capacity? Do you encourage board members to visit customers and suppliers? If the answer to these questions is no, it signals a deeper issue—an insecure CEO who treats the board as a rubber-stamping body rather than a true governance partner.

“A healthy board fosters open dialogue and strategic engagement,” Giles said. “If management dominates 70% of the conversation in board meetings, you’re not in a discussion – you’re attending a board governance concert. And that’s a key indicator of ineffective governance.”

The post Executive Program Preps C-Suite Leaders for Career-Shaping Boards appeared first on Security Current.

The board doesn’t care about your EDR solution, says Marco Maiurano. The board doesn’t care about your GRC platform, either.

“I know these are controversial statements, but boards want to know risk,” said Maiurano, the Chief Information Security Officer at First Citizens Bank. “They want to know metrics. They want to know the business impact.

“They want to know why you are investing where you’re investing. How are you reducing and mitigating that risk so that they can be assured that you are doing everything you possibly can to reduce the risk as much as you can, and allow them to make sure that they can effectively challenge and govern?

Maiurano was introduced to the notion of risk management as director of cyber threat intelligence and the cyber defense center at AIG, where the hot new topic about a decade ago was cyber insurance.

“When I think about how most folks talk about cyber, we love to talk about technical stuff, but we fail to think that not everybody is a cyber expert. But what a lot of business leaders understand is risk and risk taking,” he said.

Cyber wasn’t even on the radar when Maiurano was in college. As an anthropology and microbiology major, he dreamed of moving to Africa to study epidemiology.

But after graduation he needed a job, and as an intern at Verizon, he unexpectedly found himself managing a team of 100 union employees on the network operations team at the World Trade Center in Manhattan. That office disappeared in the 9/11 attack, and he ended up helping to rebuild Verizon’s infrastructure at WTC.

His next job was running the SAT program for the College Board, with responsibilities including cybersecurity. Cheating was undermining the validity of the exam, so he started doing social media monitoring to try to contain it.

Citigroup then recruited him to help build a cyber intelligence center there, and cybersecurity positions at AIG, Barclays and First Citizens Bank followed.

In his current job, he was tasked with building an information security program from the ground up.

“The board and the executive leadership team had the foresight to say, ‘Our aspiration is to get bigger, and with that comes higher risk. And cyber is one of the key top risks to the organization. So they wanted someone to come in and build a program that would be able to scale,” he said.

Maiurano started almost 3 ½ years ago with a team of 14 people that has since grown to 500  as acquisitions catapulted First Citizens from a regional bank to a national one, opening up a significant amount of regulatory scrutiny.

His experience with risk management has served him well.

“I think the experience from having risk background and the pure operations background positioned me really well with the board at First Citizens because I am able to have a very risk-based conversation around the threats I’m seeing,” he said.

In many large industries, Maiurano sees the role of the CISO becoming more of a true executive role.

“There’s not one board conversation when you’re not talking about a cyber attack or some type of resilience. Regulators are driving a lot of this, but I think boards, at least in financial services, are making sure to engage with CISOs, and there’s an expectation that there is board exposure to the CISO.

“The CISO is not the person in the back room now making sure you’re patching your stuff and writing your reports,” he said. “The role is really around how am I partnering with the business to make sure that I can match their aspirations of where they want to take the organization. And eventually, I have a feeling that you’re going to see more CISOs on boards.”

Maiurano’s biggest challenges today are the regulatory environment and the dynamic threat landscape.

“It’s good and it’s important that we have regulation, but managing it takes an army to do that,” he said.

“And the threat environment is constantly evolving. One of the challenges is to make sure  your board, your executive management team, the folks who own the funding, understand that. Peers have said they’ve been asked, ‘Well, nothing’s happened yet, so why should we continue to fund?’ And that’s a really hard conversation to have it you don’t have data and you don’t understand risk.”

The ever-changing threat environment means CISOs must try to keep pace with malicious actors as they use new technologies such as artificial intelligence.

“You don’t want to bring a knife to a gunfight,” so you want to make sure that you are understanding where things are changing and going,” Maiurano said. “Technology is not going to stop, and we’ve got to figure out how to lean into it and make sure that we are leveraging it for good as well.”

CISOs not only have to identify risk, but they also operate the controls to mitigate it. The constant inundation with data, the constant analysis, and the constant efforts to rationalize
create relentless pressure, and that takes a toll on security practitioners, Maiurano said. That makes watching out for the team’s well-being yet another challenge

“Burnout is real in our industry,” he said. “How do you make sure you’ve giving people rest? How are you making sure people are thinking about their health?”

Maiurano decompresses with martial arts – Brazilian jujitsu and Muay Thai. He also loves to travel with his family, with trips to Iceland and Easter Island in the offing.

Does he regret not going into epidemiology or anthropology?

“People often ask why I’m going to do when I retire, and I say, just be an anthropologist. It might be something I would go back into, but I don’t regret not having done it as a career,” Maiurano said. “My philosophy on life is you just go where it takes you. I don’t try to plan everything because as much as you plan, someone else has got another plan for you.”

The post CISO Spotlight: Marco Maiurano, First Citizens Bank Executive Vice President, Chief Information Security Officer appeared first on Security Current.

Interacting consistently with business leaders has allowed Anahi Santiago, Chief Information Security Officer at healthcare provider ChristianaCare, to win a coveted seat at the table.

“When I moved to ChristianaCare, one of the first things that I did was schedule time with all of the executives,” Santiago said. “And my approach wasn’t, ‘Here’s why cybersecurity is important,’ but to ask them, ‘What’s important to you? What are your challenges? What are the outcomes that you’re looking to achieve? And then let’s have a conversation about how I can help you through cybersecurity.’ That has helped to build the trust that has given me continuous invites to the table.”

Santiago began her career running all of the large global infrastructure projects for Unisys. “All of the areas I worked in had a cybersecurity component to them, and I just gravitated toward it. I just found the topic of security to be more interesting than other IT components,” she recalled.

Although “you couldn’t put a price on the knowledge I was gaining at Unisys,” she said, she was bartending to make ends meet. A contact there told her about an information security job opening at Einstein Healthcare Network, and that was the start of almost 20 years of healthcare cybersecurity experience.

“My husband reminds me all the time, ‘Not everybody loves their job like you love your job.’ I’m lucky,” she said.

Santiago’s background is in electrical and computer engineering, and her analytical mindset and a thirst for learning have shaped her ability to succeed in the ever-changing world of cybersecurity, she said.

But she is also a business-focused executive who puts a premium on translating complex technical concepts in a way that clinicians and business leaders can understand.

“By understanding their challenges I can help them to achieve their outcomes while building the trust that’s needed to create a culture of cybersecurity where we’re designing cybersecurity into strategy as opposed to bolting it on,” she said.

When she joined Einstein, there was no security program, so it was up to her to build one and convey its importance to executives and clinicians. That required getting to know the business.

“Taking that approach of getting to know the environment before just coming in and wielding controls that could potentially kill people was really important,” Santiago said. “And I’ve sustained that approach at ChristianaCare.”

This responsibility toward the lives and well-being of patients puts healthcare cybersecurity in a realm of its own, Santiago said.
“I think a lot of people who work in healthcare, specifically in the provider space, are mission oriented. We all get up in the morning recognizing that what we do is really impactful to people’s lives, not just to the bottom line,” she said.

“I’m often asked, how do you want to be remembered? I want to be remembered by a legacy, people thinking about the impact I had on healthcare, how I helped the industry evolve and improve. I think we all have a passion and a mission, and as executives, we really have a unique opportunity to drive meaningful change.”

Mentorship is a topic close to Santiago’s heart. While many information security professionals fret about a lack of skills and talent, she has a different perspective.

“I think part of our roles as industry leaders should be to build and infuse the talent in the industry by not just looking for the tenured unicorn who has 15 years of experience and commands a ton of money,” she said. “We should be finding the people who are hungry to learn, hungry to contribute, and give them an opportunity by teaching them.

“I would rather hire somebody who doesn’t have any cybersecurity experience and give them the foundation to grow than to hire somebody I’m going to lose a year from now because the market is so competitive. So our approach to building our team is generally to look for that entry-level talent that is hungry to learn and contribute, teach them cybersecurity, elevate them through our team, grow them into senior-level roles, and then utilize them to then mentor the new generation of cybersecurity professionals.”

As an industry veteran, Santiago has seen the CISO’s role evolve from technologist to business leader, and she expects it to be elevated further, with increased influence, responsibility and posture within the organization. In many healthcare organizations, the position has merged with the role of Chief Technology Officer, she said. “And I won’t be surprised if sometime in the next decade the trend will be for information technology or other areas of the organization to report to the CISO,” she added.

The threat landscape is also evolving, with malicious actors transitioning from the guy in a basement to full-fledged companies with the ability to grow a lot faster than information security programs can just by nature of budgeting dynamics, Santiago said.

“For healthcare, the challenges will be around the fact that the four walls of the hospital are disappearing and virtual care is here to stay,” she said. “And so building architectures and capabilities where we have the same level of visibility as we do inside the four walls of the hospital is going to become critical.”

That’s going to be especially challenging at a time when healthcare budgets are getting tighter, she said.

In an era of CISO burnout, Santiago is a firm believer in work-life harmony. Years ago, she used to work 14 or 15 hours a day, but when she went to do an executive MBA, she had to cut back.

“Nobody noticed. My performance didn’t degrade, evaluations didn’t degrade, and at that point I realized, I’m not going back. I really believe in turning it off at the end of the day, and moving out to running marathons, going to dinner with my husband, and traveling,” she said.

“I’m intentional about drawing a line between work and my personal time, and I’m really protective of this. I think this is a message we need to make sure we’re delivering, and I’m certainly delivering this with my team.”

The post CISO Spotlight: Anahi Santiago, ChristianaCare CISO appeared first on Security Current.

Looking toward the future is what guides Dr. Jamaine Mungo, Chief Information Security Officer at Philadelphia International Airport.

“I  see myself as a captain on a ship, always looking ahead toward the horizon, not just thinking about now, but thinking about the future,” Mungo said. “That helps me to really look out to see what’s coming down the line so that we can be prepared to be proactive and not reactive.” 

Innovation is a major pillar of his security program.

“When I speak of innovation, I’m looking at automation and the use of AI to really help dig into the data so that it is beneficial to our environment,” Mungo said. “My team does a great job at ensuring the required controls are in place and maintained to keep us moving ahead and planning for the ‘when,’ not the ‘if.’ I’m really excited about that.”

Staying innovative is his top advice to security practitioners just entering the field.

“Coming in, you’ll see many problems,” he said. “Bring that level of new eyes on a problem to develop a strong solution so it will never be a problem again.”

Having started on a customer help desk, listening to users and hearing their problems, was a formative experience.

“Having a customer service base, and then turning problems into solutions, has helped me evolve over time,” said Mungo. “Throughout my career I have kept that in my back pocket.”

Before arriving at Philadelphia International Airport this year, Mungo secured government agencies and corporations, with roles at Lockheed Martin, Comcast, and the Office of the Attorney General of New Jersey. His experience has given him a grounded understanding of what it takes to secure environments big and small, helping him to know what areas to lock down to keep that level of security at an optimal presence, he said.

The sheer size and complexity of an airport is a challenge but being prepared along with having a plan in place is very important.

“But I’m always optimistic, knowing that I have the proper resources in place, all the proper controls in place, to ensure that the environment stays secure, that flights can take off and land, and passengers are happy,” Mungo said. 

Sharing knowledge has always been a big part of Mungo’s professional life. At PHL, knowledge-sharing has come to play an even bigger role.

“Within the aviation industry specifically, there’s a huge component of knowledge sharing, through forums and groups,” Mungo said. “Ten, fifteen years ago, there was not a lot of knowledge sharing. But now, with a constant level of threats, and potential impacts on an environment, people tend to share. Knowing what’s going on in someone else’s environment can help you out on your own, so you’re not spinning your wheels in the mud trying to figure something the next person has already figured out.”

The landscape on which CISOs operate is so wide that they have to wear many hats when it comes to governance, risk, compliance, vulnerability management, threat intelligence, and talking to senior management and the board, Mungo said. Another crucial component is knowing the business, he added.

“You’ve got to know how the business operates, how it functions, how it makes money, who the key stakeholders are, and what’s being done to grow the business,” he said. “Knowing how the business functions allows me, as a CISO and a leader, to function and be aligned with the business.”

Looking ahead, Mungo sees already-prolific ransomware attacks getting smarter day by day.

“The reason they’re so successful is because they prey on the user sitting behind a keyboard,” said Mungo, author of Anatomy of Cyber Attacks: Exploitation of the Weakest Link. “Companies have invested millions of dollars into using protective solutions to secure their environments, but all that gets compromised when a user gets exploited. That’s the biggest trend I’m seeing over the years, exploiting the actual user.

“Another trend I see is adversaries targeting third party companies, because they have  fewer controls in place. So I would say having a strong third party risk management program in place is crucial.”

As an industry veteran with more than 25 years of experience, Mungo has accumulated a great deal of knowledge that he is committed to passing on.

“I’ve always been a big fan of giving back to the community or to academia,” said Mungo, who holds a doctorate in Cybersecurity and has been a professor at Cornell University, Purdue University and North Carolina A&T State University.

“When it comes to academia, I know that I’m giving back to the next generation of leaders and equipping them with the knowledge and toolsets that will help them in their career or to get started in the career they make and help them excel.”

Successful CISOs listen and learn, Mungo said.

“You’ve got to have that customer service base level. Are you talking to people? You’ve got to know how to listen to people, first to understand the problem, and then to develop a solution.”

They also need to set goals and objectives, and know how to articulate messages if they want to influence and lead, he added.

“We’re talking to a wide range of people, so having the ability to communicate is definitely key,” Mungo said.

Mungo is deeply committed to community service, serving as president of the Kappa Iota Lambda Alumni Chapter of Alpha Phi Alpha Fraternity, Inc. , which honored him with the Leader of the Year Award for his dedication to community development and engagement. He leads various regional programs supporting youth development, college preparedness and career development.

“I’ve always been an advocate of supporting, uplifting and serving the community, to give them what is needed to thrive,” Mungo said.

Aside from his community work, Mungo spends off-duty time running, going to the gym, and playing football and basketball to relax and decompress.

“I tell my friends, you don’t just have to work,” he said. “Have something else to do to really balance yourself after your day job. I do that all the time. It helps with release of stress to focus on something other than work. Burnout is really real.”

The post CISO Spotlight: Dr. Jamaine Mungo, Philadelphia International Airport CISO appeared first on Security Current.

Innovation is key to staying ahead of the curve on cybersecurity, and at Wintrust Financial, Chief Security Officer Jack Burback has established innovation teams to create new resources and develop subject matter expertise.

“We take volunteers from each of my teams, representing fraud, access management, information security, corporate security and the like, they look at all of the different threats and opportunities that we have, and then they create recommendations,” Burback said.

“They formulate a training curriculum, identify use cases and different technologies we should consider. One of our goals is to develop a subject matter expertise group within our team that can evaluate the space and provide recommendations on how we could move forward, as well as help support the business when it has questions.”

The first team was created around artificial intelligence, and another is considering the future of financial services.

“The team members, who meet virtually, really like it because it’s not part of their daily job, and they really get to think outside the box,” he said.

Burback started out in the industry doing information technology consulting, then joined HSBC to help build out its global security programs for incident management and third-party risk management.

At HSBC, he saw an excellent opportunity to strengthen his understanding of the financial industry.

“It was pretty obvious to me that most of my strengths were in the technology side of things, and that I really needed to expand my understanding of business to be a better leader and business partner,” he said. “So that’s why I went to get an executive MBA.

“These days, to be a successful CISO, you have to understand the business. If you’re strictly focusing on it from a technology or risk perspective, you’re going to miss a lot of the opportunities to support the business by reducing the risk as it moves into different areas or considerations.”

After several years at HSBC, Burback moved to security integrator Forsythe Technology, advising Fortune 1000 customers on building security programs. He then pivoted to the startup world, building Ionic Security’s services program from the ground up.

A former HSBC colleague brought him into Wintrust as his deputy CISO. He was appointed chief security officer nearly three years ago, with responsibility for information security, access management, fraud and physical security.

“Part of information security ties back to the physical controls around protecting information,” he said. “A large part of fraud is also tied to technology components. And so we decided as an organization to bring those together since there was quite a lot of intersection, and it’s worked quite well.”

Burback’s wide-ranging experience has given him “a unique opportunity to see both how the vendor side works, in addition to the corporate side, from a financial services perspective as well as professional services,” he said.

At Wintrust, Burback places an emphasis on bringing in good talent and developing the team. He offers a well-defined career path that includes getting team members the training and opportunities they seek to make an impact within the organization.

“If we’re able to continue to challenge them and bring them new opportunities, I think it goes a long way,” he said.

He has also developed a program to help recent college graduates get a foot in the door.

“You don’t have very many positions at all in the industry for entry level recent graduates. So we’re seeing individuals with master’s degrees in cybersecurity taking internships because they don’t have entry level positions available to them,” he said.

“We created a rotational program where we’re taking recent college grads full time for two years, and each six months they work in a different area of information security. This program makes them very well rounded, and they can take a position somewhere in the team when that opens up. It also gives them a better understanding of what they would like to do in the information security space, where there is such a broad array of jobs.”

Becoming well-rounded is his top advice to all new security practitioners.

“Don’t pigeonhole yourself in one area. You really need to understand the full scope of the information security space as a whole by leveraging opportunities to expand your role and ongoing training.

The other big piece is to understand your business, he said.

“Start to network within your organization with those who are not on the information security team to understand different departments, what’s important to them, and what makes the company successful as a business,” he said.

“That gives them some great visibility to why the business may push back or have concerns with certain controls, or how their requirements may change over time.”

Five years ago, Burback and a group of other CISOs founded a not-for-profit called ChiBrrCon, which mounts an annual conference in Chicago to help develop information security talent, and to provide networking and other opportunities for people trying to get into the business.

Outside of work, Burback, his wife and four children are very active, going boating and fishing and camping. He serves as assistant coach on his boys’ hockey team, and plays a lot of hockey himself, as goalie.

“There’s a direct parallel to my playing goalie,” he said. “It’s been pointed out many times that it correlates to my profession.”

The post CISO Spotlight: Jack Burback, Wintrust Financial Chief Security Officer appeared first on Security Current.

SecurityPal has set out to end the dreaded security review with an AI-driven platform designed to help companies drive revenue and growth by swiftly navigating the chaotic and time-draining assessment process.

Security assessments are one of the top blockers within sales. Typically they involve chasing down answers to hundreds of questions that steal time from winning deals, protecting companies, and delivering value to customers. 

SecurityPal cuts down that mountain of paperwork with a consolidated platform that boasts a 90% completion rate and 24-hour turnarounds.

With OpenAI scaling at high speed, Head of Governance, Risk and Compliance Nick Hamilton knew he needed an external vendor to help navigate the security review process. He did short trials with three companies offering security review services, but SecurityPal was different right out of the box, he said.

“They were willing to partner with us to codify our process and to work with us to improve that quickly over time,” he said. 

This commitment to collaborate and evolve gives clients confidence that the company will meet their needs as they understand them.

“I can’t overstate how important it is that they’re easy to work with. I can give them any feedback, and they will work with us to implement it,” Hamilton said. “That’s a huge differentiating factor.”

SecurityPal was born out of founder and CEO Pukar Hamal’s personal frustration with the challenges around security reviews.

“That planted the seed that something needed to get done,” said Hamal, a serial entrepreneur and investor. “And then as I talked to other technology and security leaders, I realized that this was a bigger and bigger challenge, and it really validated the idea. When we started booking revenue and closing deals, that was the sign that this was something that could sustain itself.”

SecurityPal’s solution, powered by artificial intelligence but verified by humans, offers consistent and accurate responses – a critical benchmark to maintain compliance and customer trust.

Automation speeds things up vastly, but the human element – a team of security analysts that scrutinizes the results — is critical to make the call that the answer is good. That helps give clients more confidence in the process, Hamal said.

Companies need to demonstrate assurance to their customers instantly and in real time when their customers demand it, and that is going to be a big differentiating competitive advantage, Hamal said.

“The faster higher quality assurance that you can deliver, and the faster higher quality assurance that you can get, puts you on the best footing for the future. And that is what we’re helping companies really drive towards.”

SecurityPal has become the go-to partner for companies ranging from fast-growing startups to Fortune 100 firms. On average, each of them receives 100 questionnaires a year. A team of one to two people would be required to complete that manually, Hamal said.

“They’re reclaiming thousands of hours of productivity every year,” he said of customers.  “And it’s not just about getting the job done. It’s how do you draw insights from that data? How do you help the company position itself with the market that it’s going after? How do we help position those companies to deliver much better assurance to their customers.”

SecurfityPal started out on the sell side, helping companies selling a product or service to do it faster. But now it’s on the buy side as well, helping companies obtain a robust understanding of their vendors.

“Nth party management is going to be a core component,” Hamal said.

Companies need to prepare themselves to be meticulously scrutinized around any AI offerings they may have, he said.

“A lot of companies are embedding AI into their solutions, and that AI needs a lot of data to work, and so the scrutiny for companies is increasing due to AI requirements and regulations,” he said. “There are more data privacy and security regulations that are going into effect across the United States as well as globally. It’s a massive trend.”

Hamal takes pride that SecurityPal, which has raised $21 million from investors including Craft Ventures and Andreessen Horowitz partner Martin Casado,  isn’t willing to grow at all costs.

“We’re trying to grow responsibly so that we’re around for our customers, not just for over the next year, but for the next give, ten years and beyond,” he said. “We look at our financial health as a key component of our business resiliency.”

The post Pukar C. Hamal, Founder and CEO, SecurityPal appeared first on Security Current.