Nisha Patel, CISO at Ocorian

Sponsored by: Forescout Technologies & Robiquity

We sat down for coffee with Nisha Patel, Chief Information Security Officer (CISO) at Ocorian, responsible for cybersecurity strategy, risk management, and overall security posture of the organisation.

Ocorian is a global provider of fiduciary and administration services - Safeguarding sensitive data and maintaining trust are central to their operations and values.

DE: Hey, Nisha - Welcome to Digital Edge! It’s a pleasure to speak with you and thank you for taking the time to share your thoughts, experiences and career journey with us and our audience. Let’s start by understanding what inspired you to focus on cybersecurity in financial services in the first place…

NP: My professional journey in cybersecurity began with a strong foundation in Technology, specifically Infrastructure. Over the years, I’ve accumulated experience across various sectors, including Government, Transport, Finance, and Entertainment, which gave me a comprehensive understanding of how different industries approach security. This cross-sector exposure helped me develop a holistic view of cyber risk, which I now apply in my current role.

I was drawn to cybersecurity in the financial services sector because of the unique challenges and high stakes involved. Financial institutions, like Ocorian, handle vast amounts of sensitive data, which makes them prime targets for cyber threats. I was inspired by the opportunity to contribute to protecting such critical assets and ensuring that businesses can operate securely, even in the face of evolving cyber threats. The dynamic nature of the cybersecurity landscape, coupled with the need for proactive defence strategies, has kept me passionate about this field.

Working in cybersecurity within financial services presents distinct challenges, from regulatory compliance to the complexity of protecting financial transactions and client information. I’m committed to helping Ocorian navigate these complexities by fostering a strong security culture, implementing cutting-edge security technologies, and ensuring that cybersecurity is deeply integrated into the organisation’s strategic goals.

DE: How is AI transforming cybersecurity in the financial services sector, and what are its key benefits and challenges from a leadership perspective?

NP: AI is having a significant impact on cybersecurity in the financial services sector, and I believe it’s really reshaping how we approach both threats and risk management. From my experience, AI offers several key benefits but also presents unique challenges, especially when viewed from a leadership perspective.

Firstly, one of the major benefits of AI is enhanced threat detection and response. In financial services, we handle vast amounts of sensitive data, and AI-powered tools can analyse this data at scale to spot anomalies or patterns that could signal a potential cyber threat. This is especially important with increasingly sophisticated cyberattacks, such as advanced persistent threats or zero-day exploits, that are harder for traditional systems to detect. AI helps us identify these threats much earlier in the process.

AI also enables automation, which is a game-changer for efficiency. Many routine security tasks—like log analysis or vulnerability scanning—can now be automated using AI, freeing up our security teams to focus on more strategic priorities. This not only makes threat detection faster but also allows for quicker incident response, which is critical in minimising the damage caused by an attack.

Another key benefit is predictive risk management. By analysing historical data, AI can help identify potential vulnerabilities or risks before they’re exploited, allowing us to take a more proactive stance in managing security. This is a huge advantage in the fast-paced financial world, where preventing a breach can be far more cost-effective than dealing with its consequences.

However, the introduction of AI also comes with its challenges, especially from a leadership standpoint. One of the first challenges we face is the complexity of integrating AI into existing cybersecurity systems. Many financial institutions have legacy systems in place, and integrating AI tools with those systems can be a major hurdle. The implementation process can be disruptive, time-consuming, and costly, and leaders need to ensure they have the right resources and expertise to manage the transition.

There’s also the challenge of data privacy. Financial services are highly regulated, and AI requires access to large datasets to function effectively. As a leader, ensuring that AI systems comply with data protection regulations like GDPR and other local laws is critical. We need to make sure that AI systems are secure and that sensitive customer information isn’t inadvertently exposed or mishandled.

From a talent perspective, there’s also a skills shortage. The demand for professionals with both cybersecurity and AI expertise is high, and it can be difficult to find the right talent to manage and oversee AI-powered security tools. As a leader, this will mean investing in continuous education and training to ensure that our teams are prepared to handle the complexities of AI.

Finally, as AI plays a larger role in cybersecurity, there’s the potential risk of adversarial attacks on the AI systems themselves. Cybercriminals can attempt to manipulate AI models, which can have serious consequences. Leaders need to ensure that AI-driven systems are resilient and robust enough to withstand such attacks. We need to balance the immense potential of AI with the risks, ensuring that we deploy these technologies responsibly, with a clear focus on data security, ethical considerations, and continuous learning.

DE: Trust is critical in financial services. How do you approach building and maintaining client trust in an era of increasing cyber threats?

NP: Building and maintaining client trust in financial services is more challenging than ever, especially with the ever-evolving cyber threats. As a CISO, I see trust as the foundation of everything we do. In this era of increasing cyber threats, it's essential that we not only focus on securing systems but also on communicating transparently and effectively with our clients.

One of the first things I always emphasise is a proactive, transparent approach to cybersecurity. Clients need to know that their sensitive data is being actively protected. This means implementing robust security measures, but also sharing those measures with our clients so they feel confident in the steps we’re taking. Regular communication about the security tools we use, how we’re monitoring threats, and our ongoing efforts to stay ahead of emerging risks builds that sense of security. It’s not just about having security in place; it’s about making sure our clients feel that we are genuinely invested in their safety. I am often invited to Client Boards to give updates, and I feel this is my opportunity to share how Ocorian is safeguarding the Client’s data and drive discussion around what the Client expects.

Another key aspect is adherence to regulatory standards and compliance. In the financial services sector, clients trust us with their most sensitive information, and there are strict regulatory frameworks—such as GDPR and others—that govern how we manage that data. By not only meeting but exceeding regulatory requirements, we demonstrate our commitment to data security and client privacy. Clients need to know that their financial and personal data is in the hands of professionals who take privacy seriously.

DE: Data is at the heart of financial services. How do you balance leveraging data for innovation while ensuring it remains secure?

NP: Balancing the need to leverage data for innovation with the imperative to ensure its security is one of the most critical challenges we face in financial services today. At Ocorian, we recognise that data is a powerful tool for driving innovation, but it also requires robust protection.

We are currently maturing our data governance framework to ensure that we are both innovating with data and maintaining the highest security standards. This framework is being designed to provide clear policies and processes around how data is collected, stored, accessed, and shared. By continuously refining and strengthening our governance practices, we ensure that as we push the boundaries of data innovation, we do so in a way that protects our clients and adheres to industry best practices.

One of the fundamental components of this framework is data encryption and access controls. As part of our evolving governance, we continue to invest in strong encryption techniques to protect data both at rest and in transit. These encryption measures, combined with strict access controls, ensure that sensitive financial data is safeguarded while allowing for its secure use in innovation initiatives.

As we mature our data governance, we will also focus on ethical data usage. For example, while data analytics and machine learning drive innovation, we will ensure that the data used is anonymised or pseudonymised to protect personal information. This enables us to gain valuable insights and develop new solutions without compromising privacy. Additionally, we work closely with our teams to reinforce responsible data practices, ensuring that innovation occurs within clearly defined boundaries.

We also recognise the importance of continuous risk assessments and monitoring as part of our evolving data governance. By tracking data access and usage across the organisation, we can quickly identify and address any potential vulnerabilities before they pose a significant risk. This continuous oversight helps us remain agile and proactive in managing data security.

When it comes to third-party partnerships, we are careful to ensure that any external providers we work with align with our maturing data governance framework. Through thorough due diligence, including security audits, we confirm that their security practices meet our high standards before we integrate their services into our operations.

Lastly, regulatory compliance remains at the heart of everything we do. As our data governance framework matures, we ensure that we remain fully compliant with industry regulations such as GDPR, CCPA, and others. This commitment to regulatory adherence is not only a legal obligation but also a cornerstone of maintaining the trust of our clients as we innovate.

DE: What emerging cyber threats are you most concerned about, and how do you prepare your team and organisation to mitigate these risks?

NP: Emerging cyber threats are constantly evolving, and as a CISO, staying ahead of them is one of my top priorities. There are a few key threats I’m particularly concerned about in the financial services sector right now:

As AI technologies continue to develop, we’re seeing cybercriminals using AI to launch more sophisticated, automated attacks. AI can be used to generate realistic phishing emails, create deepfakes, or even find and exploit vulnerabilities in our systems. These attacks are faster, more targeted, and harder to detect. To mitigate this, we’re investing in AI-powered defence mechanisms that can identify abnormal patterns and detect attacks in real-time, as well as training our teams to recognise the signs of AI-driven threats.

Ransomware attacks have become increasingly complex, often involving double extortion, where cybercriminals not only encrypt data but also threaten to release sensitive information unless the ransom is paid. This is particularly concerning in financial services, where sensitive customer and financial data is at stake. We prepare by maintaining a strong backup and disaster recovery strategy, conducting regular tabletop exercises, and ensuring that our incident response plans are robust and can handle such complex attacks.

As businesses become more interconnected, attacks on third-party vendors or service providers are becoming more prevalent. These attacks can be devastating because they allow attackers to bypass security measures by targeting trusted partners. To address this, we’ve implemented strict vendor management policies, conduct regular third-party risk assessments, and ensure that all suppliers adhere to the same cybersecurity standards we uphold.

While external threats get a lot of attention, insider threats—whether malicious or inadvertent—remain a significant risk. Financial services organisations have high-value targets, and insider threats, whether from disgruntled employees or a lack of cybersecurity awareness, can be difficult to detect. We address this by implementing strong access controls, conducting regular security awareness training, and utilising user behaviour analytics tools to detect unusual activities or signs of potential insider threats.

With the increased adoption of cloud services, the security of data stored and processed in the cloud is a growing concern. Misconfigurations, lack of visibility, and data leaks are key issues. We mitigate this risk by ensuring strong encryption practices and maintaining a clear understanding of the shared responsibility model with our cloud providers.

To prepare our team and organisation to mitigate these emerging risks, we focus on a few core strategies:

Cybersecurity is not just the responsibility of the Security team; it’s everyone’s responsibility. We conduct regular training programs across the organisation to ensure that everyone understands the latest threats and how they can contribute to reducing risk. This includes simulated phishing attacks, security awareness workshops, and targeted training on specific risks like ransomware and social engineering.

No single security measure can protect against all threats, which is why we implement a layered defence strategy. This includes a mix of technologies such as endpoint protection, firewalls, intrusion detection systems, encryption, and a co-managed Security Operations Centre. By having multiple layers of defence, we increase the likelihood of detecting and mitigating an attack before it can cause significant damage.

We regularly test our incident response plan with real-world simulations and tabletop exercises, ensuring that our team is prepared to act quickly and decisively in the event of a cyberattack. This preparation involves cross-functional teams from IT, legal, communications, and management to ensure that every aspect of a breach is handled efficiently—from technical response to public communication.

In an environment where threats are constantly evolving, collaboration is key. We actively participate in industry groups, information-sharing platforms, and threat intelligence networks to stay informed about the latest tactics, techniques, and procedures (TTPs) used by attackers. This helps us stay ahead of emerging threats and adapt our defences accordingly.

Regular red teaming and penetration testing allow us to simulate real-world attacks and identify potential vulnerabilities before an actual attacker can exploit them. These exercises provide valuable insights into where we may be exposed and help us continuously improve our security posture.

DE: As a leader, how do you guide your team and organisation during a major cyber incident or data breach?

NP: Handling a major cyber incident or data breach is one of the most challenging situations any leader can face. As a CISO, it’s critical to maintain a calm, decisive approach and ensure that both the immediate response and long-term recovery efforts are well-coordinated.

One of the first things I do as a leader is to remain calm and focused. A cyber incident is often chaotic, but it’s important to reassure the team and the wider organisation that we have a plan in place and are in control. Clear, concise communication is crucial during a breach. I would immediately assemble the Cyber Security Incident Response Team and ensure everyone knows their roles and responsibilities to prevent confusion.

We have a well-documented incident response plan that is tested. When a breach occurs, the first step is to activate this plan. This plan includes predefined procedures for containing the breach, mitigating further damage, investigating the cause, and recovering systems. It’s vital to act quickly, and our plan helps streamline our response, ensuring we focus on the most critical actions first.

The priority in the early stages is to contain the breach to prevent it from spreading further. This may involve isolating compromised systems, disconnecting certain networks, or restricting access to sensitive data. We have protocols in place for these actions, and I would ensure that the team works swiftly to minimise the impact on clients and operations.

Throughout the process, communication with stakeholders is key. Internally, I would work closely with the executive team to ensure they understand the severity of the situation and that we are taking appropriate actions. Externally, if needed, we communicate with regulators, law enforcement, and, if appropriate, affected clients. Transparency is vital, and we make sure that we provide timely updates without speculating or causing unnecessary alarm.

Once the immediate threat is contained, we would begin the forensic investigation to determine the cause of the breach, how it happened, and which data or systems were affected. This is where our cybersecurity experts and external partners—such as forensic investigators or legal advisors—play a crucial role. As a leader, I would ensure that we document everything thoroughly, as the results of this investigation will guide our next steps, including regulatory notifications, remediation, and any potential legal actions.

Cyber incidents often stem from human error or social engineering tactics, and managing the human element is crucial. After a breach, we would provide support to affected employees, whether they are involved in the breach or need assistance with cybersecurity training or stress management. I would also ensure that our broader organisation is trained to recognise common threats, such as phishing, in the future, to prevent further breaches.

In the case of a breach affecting client data, protecting customer trust is paramount. I would work with the communications team to prepare a clear and transparent message to clients. The message outlines what happened, the impact (if any), how we are addressing the situation, and what steps we are taking to prevent it from happening again.

Once the investigation is complete, we would begin the process of remediation—repairing the systems, strengthening security measures, and closing any gaps identified during the breach. We would conduct post-incident reviews to understand what went wrong, what went well, and how we can improve our response in the future. This review involves the entire incident response team and key stakeholders to capture lessons learned.

After the breach, we would not only focus on recovery but also ensure that we strengthen our defences to prevent future incidents. This might include upgrading systems, implementing stronger access controls, conducting additional training, or even revising our incident response plans based on the insights gained from the incident. As a leader, I would make it a point to ensure that the team is empowered to take immediate corrective action, and that we continuously improve.

Lastly, I work to foster a culture of resilience within the organisation. Cyber incidents are inevitable, and it’s important that the team remains agile and focused on recovery. I encourage a mindset where we learn from our mistakes, share insights, and stay ahead of emerging threats through continuous training and simulation exercises. Ensuring that the organisation feels supported and confident moving forward after a breach is vital to maintaining morale and trust.

DE: How do you ensure AI tools used in cybersecurity adhere to data privacy regulations, especially in global financial services?

NP: At Ocorian, we take a cautious approach to the adoption of AI in cybersecurity, recognising both its immense potential and the complexities it introduces, especially when it comes to data privacy regulations. While AI tools can provide significant benefits in enhancing our security posture, we are still in the infancy of integrating AI into our cybersecurity strategy and ensure that any use of AI is done in a way that prioritises compliance with global data privacy standards.

Thorough Understanding of the Regulatory Landscape: We are committed to fully understanding the diverse data privacy regulations that apply across the jurisdictions in which we operate, such as GDPR in the EU, CCPA in California, and others. As we adopt AI tools, we ensure that they align with the applicable regulations by conducting detailed reviews of the data privacy requirements in each region. This ensures that we’re not only staying compliant but also protecting our clients' privacy at every step.

Since we are still early in our AI adoption, we take extra care to ensure that AI tools are only processing the minimum amount of personal data necessary for security purposes. We apply data anonymisation and pseudonymisation practices to ensure that sensitive information is protected. AI tools are configured to process data in a way that limits the exposure of personally identifiable information (PII), ensuring that privacy is upheld even during the experimentation phase of AI deployment.

Even though we are in the early stages of AI adoption, we are committed to ensuring that privacy is built into the process from the beginning. We take a “Privacy by Design” approach, ensuring that any AI tool we consider is designed to minimise data usage, incorporate robust encryption, and comply with data retention policies. This means embedding privacy considerations into the design, testing, and deployment phases of AI tools.

While AI tools can offer powerful capabilities, the security of data remains paramount. As we incorporate AI into our cybersecurity strategy, we ensure that any data processed by AI tools is encrypted both at rest and in transit. Secure data storage practices are implemented to ensure that any sensitive information handled by AI tools is well-protected from unauthorised access.

As we explore AI solutions from third-party vendors, we ensure that the vendors adhere to strict data privacy and security standards. Given that we’re still early in our AI journey, we work closely with vendors to ensure that their tools comply with global privacy regulations. We also negotiate clear contractual agreements that hold them accountable to our data protection standards.

Since AI in cybersecurity is still an emerging area, we will be investing in continuous training to ensure our teams understand both the potential and the risks associated with AI tools. We focus on training our employees on best practices for data privacy and compliance as they relate to AI, and we encourage them to stay informed about evolving regulations and technology.

DE: What role does fostering a culture of cybersecurity awareness play in securing an organisation, and how do you instil this at Ocorian?

NP: Fostering a culture of cybersecurity awareness is absolutely critical in securing any organisation, especially in today’s threat landscape where human error is often the weakest link in a security chain. Cybersecurity is no longer just the responsibility of the Security Team; it must be a collective effort across all levels of the organisation. At Ocorian, we understand that building and maintaining a culture of cybersecurity awareness plays a pivotal role in protecting our data, assets, and client trust.

A large percentage of cybersecurity incidents, such as phishing attacks or social engineering, are successful due to human error or lack of awareness. By embedding cybersecurity awareness throughout the organisation, we significantly reduce the chances of falling victim to these types of attacks. When everyone, from entry-level employees to senior leadership, understands the threats and knows how to respond appropriately, the organisation becomes more resilient to attacks.

Cybersecurity awareness is about fostering a proactive mindset, not just a reactive one. When employees are aware of potential threats and understand the risks, they are more likely to be vigilant and take actions to prevent incidents before they occur. We encourage our employees to always question suspicious activity, use secure practices, and prioritise security in their daily workflows.

At Ocorian, cybersecurity is not an afterthought—it’s part of our organisational DNA. We aim to instil a mindset where security is considered in every decision, process, and technology deployment. Whether it’s handling client data, accessing sensitive systems, or simply using email, security is always top of mind. This approach ensures that everyone plays a role in safeguarding the organisation, and security is seen as a shared responsibility.

We invest in continuous training programs that keep cybersecurity top of mind. This includes regular, engaging cybersecurity awareness training, where we not only educate our team on the latest threats but also teach them practical steps they can take to mitigate risks.. It’s not a one-time training but an ongoing effort to ensure the message stays relevant and top of mind.

One of the ways we instil a culture of cybersecurity awareness is through clear, accessible communication of our security policies and procedures. Employees need to know not just the “why” of cybersecurity, but also the “how.” We provide easy-to-understand guidelines on everything from password management to data handling and reporting suspicious activity. This ensures that employees have the information they need to act responsibly and in line with our security protocols.

As a leader in cybersecurity, I know the importance of leading by example. At Ocorian, senior leadership is actively engaged in fostering a cybersecurity-first mentality. Our executives understand the risks involved and regularly participate in security awareness initiatives. This commitment from the top ensures that security is prioritised at all levels and that employees see that cybersecurity is a critical business issue, not just a technical one.

DE: The financial services industry faces stringent cybersecurity regulations. How do you ensure compliance while driving innovation?

NP: Ensuring compliance with stringent cybersecurity regulations while fostering innovation is a delicate balance, but it’s a challenge that is critical for organisations in the financial services industry. At Ocorian, we recognise that regulatory requirements are crucial to the trust and security with our clients. However, we also understand the importance of innovation in maintaining a competitive edge, enhancing operational efficiency, and responding to emerging threats.

The first step in ensuring compliance while innovating is to have a robust foundation in place. At Ocorian, we have a comprehensive cybersecurity framework that aligns with industry standards and regulatory requirements. This includes adherence to regulations such as GDPR, the Financial Conduct Authority (FCA) guidelines, and global standards like ISO 27001 and SOC 2. We maintain a dedicated team that is focused on compliance, ensuring that we stay up to date with the evolving regulatory landscape. This team works closely with our innovation and technology teams to ensure that any new projects or tools are fully vetted for compliance before implementation.

When we approach innovation, especially with new technologies or AI tools, we adopt a "privacy by design" and "security by design" mindset. This means that compliance considerations are not an afterthought but are integrated from the outset. Whether we are developing new products, adopting cutting-edge cybersecurity technologies, or streamlining operations, we ensure that privacy and security controls are baked into the design process. This proactive approach ensures that we innovate within the bounds of compliance and avoids costly reworks or potential regulatory risks later on.

We take a risk-based approach to innovation, meaning that we evaluate new technologies and approaches through a cybersecurity lens. By understanding the potential security risks, compliance challenges, and benefits associated with each innovation, we can better manage and mitigate potential issues. This risk-based approach allows us to adopt and experiment with innovative solutions, such as AI in cybersecurity, while ensuring that we don’t compromise on security and compliance.

To ensure that we remain compliant while innovating, we perform regular audits of both our existing systems and any new technologies we implement. These audits are designed to assess whether we’re meeting the necessary regulatory requirements and maintaining the highest standards of cybersecurity. They also help identify potential gaps early on, enabling us to take corrective action without stalling innovation. Continuous monitoring of our systems ensures that, even as we innovate, we can detect and address any compliance or security issues as they arise.

DE: Third-party relationships are often a weak link in cybersecurity. How do you manage and mitigate risks associated with vendors and partners?

NP: Managing third-party risks is crucial, especially in financial services where these relationships can expose the organisation to cybersecurity threats. At Ocorian, we adopt a multi-layered approach to mitigate these risks:

Before onboarding any vendor, we assess their cybersecurity posture, compliance with regulations, and past incident history to ensure they meet our security standards. We include strict cybersecurity clauses in contracts, ensuring vendors comply with data protection policies and are accountable for security breaches. We regularly assess our third-party vendors to ensure they maintain security standards and compliance. We require vendors to have robust incident response plans in place and ensure prompt breach notifications, enabling us to react swiftly if an issue arises. We apply strict access controls and encryption to protect data shared with third parties and limit access to only necessary personnel. If a vendor is no longer able to meet security standards, we are implementing clear procedures to securely end the relationship and protect our data.

By embedding these practices into our third-party management process, we mitigate risks and maintain strong, secure relationships with our vendors, ensuring the protection of both our clients and organisational data.

DE: What trends do you foresee in AI, data, and cybersecurity, and how can financial services organisations prepare for the future?

NP: The intersection of AI, data, and cybersecurity is rapidly evolving, and there are several key trends that will shape the future of financial services.

AI is already transforming how we approach cybersecurity. With its ability to analyse large volumes of data in real time, AI will increasingly be used for proactive threat detection, anomaly detection, and automated responses. Financial services organisations will invest in AI-driven tools that can quickly adapt to emerging threats, and regularly update these models to ensure they remain effective and free from biases.

As data becomes more integral to decision-making, data privacy will remain a top priority. With regulations like GDPR and CCPA growing in importance, financial services need to strengthen their data governance frameworks to ensure compliance. Transparency about how customer data is used will also be crucial in maintaining trust.

The move to cloud and hybrid environments will continue to accelerate. As financial services adopt these technologies, cybersecurity will need to evolve to address new challenges. It will be critical to implement strong security protocols like encryption and identity management to protect data and maintain control across multiple environments.

AI will also play a major role in automating incident response. Financial institutions can use AI to detect breaches faster and respond more efficiently, reducing the impact of a cyber-attack. Preparing for this requires investing in automated security operations centres (SOCs) that can enable real-time threat containment.

AI’s ability to process vast amounts of transactional data will help improve fraud detection. Real-time monitoring, pattern recognition, and predictive analytics will allow financial services to spot fraudulent activities much faster than traditional methods. Financial institutions should prepare by adopting AI tools that enhance their fraud prevention systems.

As third-party risks continue to grow, especially with vendors and suppliers, ensuring cybersecurity across the supply chain is essential. Financial services should be vigilant about assessing their third-party partners’ security practices and implement continuous monitoring to manage these risks.

DE: What advice would you offer aspiring CISOs looking to make a meaningful impact in cybersecurity and leadership?

NP: My journey has been both rewarding and challenging, and I’ve learned a lot along the way. Having a young child, I’ve learned that balance is key. The role of a CISO is demanding, but it’s important to set boundaries, manage your time effectively, and find ways to thrive both personally and professionally. It’s OK to acknowledge that there will be tough moments where you need to lean on your team, your boss or peers for support. This balance allows you to lead with empathy and be present in both your professional and personal life.

Cybersecurity is about managing risk and aligning security with the business strategy. For me, it’s been essential to really understand how security fits into the broader goals of the organisation. I think aspiring CISOs should be strategic thinkers—understand how security impacts customer trust, brand reputation, and regulatory compliance. Don’t just focus on threats; focus on managing risks that can truly disrupt your business.

One of the best decisions I’ve made is surrounding myself with trusted security partners. No one can do it alone, and the cybersecurity landscape is evolving rapidly. I rely on strong relationships with security vendors and partners who bring expertise to the table—whether it's threat intelligence, incident response, or advanced technologies. These partnerships give me the confidence to stay ahead of risks, and I believe CISOs should embrace collaboration and leverage expertise wherever possible.

Communication has been a big part of my success. Whether it’s explaining complex security issues to the board or advocating for additional resources, the ability to communicate clearly and effectively is essential. Managing expectations, setting clear priorities, and ensuring everyone understands the “why” behind security measures is vital. CISOs should learn how to translate technical concepts into language that resonates with non-technical stakeholders.

I believe in leading by example when it comes to fostering a security-first culture. It’s not just about tools and technology but about creating an environment where everyone in the organisation feels responsible for security. I prioritise regular training and awareness campaigns to empower employees to make smarter decisions. This holistic approach to cybersecurity is something I’ve found to be very effective in creating lasting change.

In both my career and personal life, resilience has been a key lesson. Cybersecurity is a dynamic field, and there are always new challenges to face. Whether you’re managing an incident or navigating workplace dynamics, being able to adapt, stay calm under pressure, and quickly recover is essential. For CISOs, it’s important to stay grounded and focus on the bigger picture, even when things feel overwhelming.

The cybersecurity landscape is always changing, and as a leader, it’s important to stay ahead. I make it a priority to keep learning—whether it’s through reading, attending conferences, engaging with peers in the industry, or taking part in training.

Building a strong, supportive team is crucial to success. I have an incredible team, who I rely heavily on to allow me to do my role well, and I also ensure that I build relationships with other departments and external partners. The strength of your internal and external networks can make a huge difference. I’ve learned that it’s okay to ask for help, and building a supportive environment where your team feels comfortable doing the same will drive success.

For aspiring CISOs, my advice is to approach the role with empathy, resilience, and a strategic mindset. Understand your organisation’s goals, communicate effectively, leverage strong partners, and create a culture where cybersecurity is everyone’s responsibility. And, importantly, don’t forget to find balance in your life—it’s essential for both your personal well-being and your leadership success. Leading in cybersecurity isn’t just about managing risks—it’s about empowering people, staying adaptable, and continually evolving to meet new challenges.