Cybersecurity and Risk

The blog of a CISO

  • Cybersecurity in M&A: why the CISO must be at the due diligence table

    Mergers and acquisitions (M&A) are among the most strategically sensitive and high-impact decisions a company can make. Traditionally, the focus of M&A due diligence has centered on financial, legal, and operational assessments. However, in today’s digital-first landscape, cybersecurity posture is a critical component of enterprise value and risk exposure.

    Organizations that overlook cybersecurity risk during M&A transactions often face costly surprises after closing. These may include inherited breaches, regulatory violations, reputational damage, or operational disruption.

    This is why CISOs must no longer be involved only after the deal is signed. Their engagement during the early stages of due diligence is essential to identifying and managing digital risk across the transaction lifecycle.

    Why cybersecurity due diligence matters in M&A

    Cybersecurity directly affects business continuity, customer trust, regulatory compliance, and brand reputation. When the target company has weak security controls or a history of underreported incidents, the acquiring organization could inherit:

    • Financial liabilities from future breach remediation or fines
    • Regulatory exposure under GDPR, NIS2, DORA, or local frameworks
    • Technical debt and unsupported infrastructure
    • Integration complexity that slows post-merger execution

    Cyber risk in M&A is not hypothetical. In the Verizon–Yahoo deal, previously undisclosed data breaches led to a $350 million reduction in acquisition value. This case and others illustrate how cybersecurity gaps can become material business risks.

    The CISO’s role in M&A due diligence

    A modern CISO should be actively involved during the early evaluation phase of a transaction. Their responsibility is not limited to technical assessments. It includes identifying how security posture, risk exposure, and digital maturity impact deal value and post-merger integration.

    Key areas of responsibility

    1. Assessing the cybersecurity posture of the target

    • State of preventive and detective controls
    • Security tooling maturity, including SIEM, EDR, vulnerability management, and MFA
    • Track record of security incidents and response effectiveness
    • Regulatory certifications or gaps (e.g. ISO 27001, SOC 2, PCI DSS)

    2. Identifying hidden liabilities and risk drivers

    • Remediation costs associated with security weaknesses
    • Legacy infrastructure that requires replacement or segmentation
    • Risks inherited through third-party contracts and vendors
    • Non-compliance exposure that could trigger post-closing penalties

    3. Supporting post-deal integration planning

    • Alignment of identity and access models across the organizations
    • Consolidation of cybersecurity policies and frameworks
    • Integration of SOC operations, incident response procedures, and detection systems
    • Cultural differences in security awareness and accountability across teams

    Cybersecurity due diligence: what to include

    A structured cybersecurity due diligence framework brings consistency and depth to the evaluation process. Below is a practical breakdown of domains to assess:

    DomainWhat to assess
    Asset visibilityAccuracy of IT, data, and application inventories
    Vulnerability statusOpen CVEs, patch compliance, misconfigured systems
    Third-party riskSecurity posture of inherited vendors and contracts
    Compliance readinessAlignment with relevant laws, standards, and audit frameworks
    Incident historyFrequency and severity of past security events
    Governance structureExistence of policies, ownership models, and executive oversight

    Strategic benefits of early CISO involvement

    Involving the CISO before closing provides value that goes beyond risk avoidance. Early engagement enables:

    • Improved valuation accuracy through structured risk scoring
    • Faster and cleaner post-deal integration across IT and security functions
    • Proactive mitigation of compliance or contractual exposures
    • Greater confidence at board level through visibility into security maturity

    Cybersecurity due diligence is not just a defensive activity. It is a business enabler that helps protect investment value and accelerate integration efforts.

    Conclusion: cybersecurity as a value multiplier in M&A

    Modern acquisitions are more than financial transactions. They are also digital integrations. That is why the CISO must have a seat at the due diligence table and operate with the same level of strategic input as legal, finance, and operations.

    Cyber risk is now a board-level concern. Integrating cybersecurity due diligence into M&A processes signals maturity, governance, and foresight. Organizations that embed security into early-stage deal planning not only avoid costly surprises but also unlock faster value realization and long-term stability.

  • Centralized vs. Decentralized Cybersecurity: Navigating the Federated Model

    As cybersecurity evolves from a technical discipline into a core component of enterprise governance, organizations are facing a structural dilemma: should security responsibilities be centralized under a unified function, or distributed across operational units to better reflect business realities?

    This question goes beyond organizational charts. It speaks to how risk is understood, owned, and mitigated throughout a company. The answer, rarely binary, depends on governance maturity, organizational culture, and execution models.

    Centralized Cybersecurity: Control, Consistency, and Risk Oversight

    In a centralized model, cybersecurity is managed through a unified team, often reporting directly to the CISO. This team owns core functions such as identity governance, threat monitoring, incident response, and compliance alignment.

    Advantages of Centralized Security

    • Policy consistency: Standards are defined once and enforced uniformly across the organization, reducing interpretive gaps and misalignment.
    • Operational efficiency: Shared platforms and consolidated contracts generate economies of scale and reduce tool sprawl.
    • Regulatory readiness: Audits, certifications, and compliance frameworks (e.g., ISO 27001, NIS2, DORA) benefit from cohesive documentation and traceability.
    • Enterprise-wide risk visibility: Centralized telemetry enables broader insight into systemic risk exposure.

    Limitations of Centralized Security

    • Slow execution loops: Approvals and interventions often move through multiple layers, slowing down project delivery.
    • Low local ownership: Business units may treat cybersecurity as an external constraint, leading to disengagement or superficial compliance.
    • Rigid process enforcement: Central mandates may conflict with agile teams or product-driven innovation.

    Decentralized Cybersecurity: Responsiveness, Ownership, and Context Awareness

    In contrast, a decentralized model delegates cybersecurity operations and decision-making to teams embedded in the business. The central function acts more as a facilitator than a controller, enabling autonomy within agreed guardrails.

    Advantages of Decentralized Security

    • Proximity to operations: Security becomes embedded in local workflows and adapts to business-specific risk factors.
    • Faster decision-making: Local teams can respond more quickly to emerging needs without waiting for central sign-off.
    • Increased accountability: Security stops being “someone else’s job” and becomes a shared responsibility.
    • Cultural alignment: Especially in product-led or DevOps environments, decentralization reflects how software and services are actually delivered.

    Risks and Drawbacks of Decentralized Security

    • Inconsistent enforcement: Without tight coordination, policies may diverge and compliance gaps can emerge.
    • Tool fragmentation: Each team may adopt different technologies, resulting in overlap, increased costs, and integration friction.
    • Difficult monitoring: Risk visibility becomes diluted, making centralized reporting and benchmarking challenging.
    • Potential for shadow IT: Lack of centralized review increases exposure to unmanaged services and data flows.

    The Federated Security Model: Governance with Flexibility

    Rather than choosing one extreme, many organizations are moving toward a federated model, which aims to balance central control with local execution. The core idea: establish a consistent baseline, then empower business units to implement controls tailored to their operational context.

    Key Features of a Federated Approach

    • Central teams define core policies, platforms, and minimum requirements.
    • Local teams retain operational ownership within a shared governance framework.
    • Security champions or embedded security roles act as connectors between units and the central function.
    • Risk accountability is distributed but measurable, supported by common KPIs, SLAs, and oversight cadences.

    This hybrid model aligns well with modern enterprise architectures, where infrastructure, data, and responsibility are inherently distributed.

    Choosing the Right Model: Context Over Convention

    There is no one-size-fits-all solution. Each model introduces trade-offs that must be evaluated based on:

    • Organizational scale and complexity
    • Security maturity and risk appetite
    • Regulatory exposure and industry norms
    • Operational structure (agile, traditional, product-centric)

    What matters most is not just where cybersecurity is managed, but how it is embedded into the organization’s culture, priorities, and decision-making.

    Final Thought

    Effective cybersecurity isn’t just a matter of reporting lines. It depends on clear accountability, consistent execution, and strategic alignment with business goals. A federated model, properly designed and governed, offers a path to unify standards without slowing down execution, bridging the gap between risk management and business agility.

  • Why virtual CISOs can’t replace real security leadership

    Over the past few years, the term Virtual CISO – or vCISO – has become increasingly popular, especially among small and mid-sized companies looking to outsource their cybersecurity leadership. On paper, the model looks attractive: a part-time consultant with solid experience in security, providing strategic oversight at a fraction of the cost of a full-time hire.

    But here’s the uncomfortable truth: Virtual CISOs don’t really exist.

    Because being a CISO isn’t just about technical expertise or governance frameworks. It’s about living and breathing the business. And that kind of involvement can’t be dialed in over Zoom a few hours a week.

    The CISO Role Is Not (Just) Technical

    A Chief Information Security Officer isn’t a technical resource – or at least, not primarily. A CISO makes strategic decisions, navigates organizational politics, drives cultural change, translates cyber risk into business impact, and collaborates with legal, HR, finance, product, and IT at all levels.

    To do this effectively, a CISO must have first-hand knowledge of how the company operates: the trade-offs, the priorities, the financial constraints, the product strategy, and even the internal frictions between departments. These are insights you don’t gain from outside the organization.

    A CISO needs to be inside the business – not adjacent to it.

    The Structural Limits of the vCISO Model

    Let’s be clear – the issue is not with the technical capabilities of virtual CISOs. Many of them have exceptional experience and credentials. But that experience is often too generalized to substitute for the contextual depth required by a security executive embedded in the day-to-day life of a business.

    Security leadership cannot be abstract. It needs to be grounded in the company’s operating model and risk appetite. It requires proximity to real-time decision-making, participation in executive discussions, and trust built over time within cross-functional teams.

    A virtual CISO isn’t in the room when strategic pivots are made. They’re not in crisis calls at 10 p.m. after a breach. They’re not negotiating live with product managers facing critical release deadlines. And because of that, they can’t act as the real-time translator between business needs and security controls, one of the CISO’s most important responsibilities.

    Being a CISO Is About Identity, Not Deliverables

    Too often, companies treat the CISO as a compliance requirement, a checkbox on an audit form. In those cases, the virtual CISO model may seem like a cost-effective compromise. But that’s a fundamental misunderstanding of what a CISO actually is.

    A CISO isn’t a PDF report or a quarterly roadmap review. A true CISO is a leader, someone who earns internal trust, navigates risk with nuance, and influences decisions across the entire business.

    You can’t do that without presence, context, and skin in the game.

    Conclusion

    There are scenarios where a vCISO makes sense: short-term engagements, early-stage startups, or specific compliance initiatives. But in a company that takes security seriously as a strategic function, the only real model is that of an internal, dedicated, embedded CISO.

    Security doesn’t scale through detachment. It scales through integration. And that requires a security leader who’s not just observing the business – but actively part of it.

    To put it plainly: Virtual CISOs don’t exist. There are CISOs, and there are consultants. They are not the same.

  • The CISO’s compass: defining effective KPIs and KRIs for cybersecurity leadership

    The current image has no alternative text. The file name is: image-3.png

    In an increasingly complex digital landscape, the Chief Information Security Officer (CISO) has evolved from a technical gatekeeper to a strategic business enabler. This transition demands not only operational excellence but also measurable accountability. To demonstrate value, guide decision-making, and align with enterprise priorities, a modern CISO must define and manage a set of meaningful Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs).

    This article explores how security executives can leverage KPI and KRI frameworks to enhance visibility, align security outcomes with business strategy, and drive continuous improvement across the cybersecurity function.

    KPIs: Measuring the Impact of Cybersecurity Initiatives

    Key Performance Indicators (KPIs) are critical metrics that assess the effectiveness and efficiency of cybersecurity operations. They offer actionable insights into program maturity, resource utilization, and overall performance. Below are the most impactful KPIs every CISO should consider tracking:

    • Mean Time To Detect (MTTD): Measures the average time taken to identify a security incident, reflecting detection capability and tooling effectiveness.
    • Mean Time To Respond (MTTR): Quantifies how long it takes to contain and remediate an incident after detection, highlighting response agility.
    • Security Awareness Completion Rate: Percentage of employees who have successfully completed mandatory security training, a proxy for organizational readiness.
    • Critical (and exploitable) Vulnerabilities Resolved Within SLA: Tracks the percentage of critical vulnerabilities remediated within the defined Service Level Agreements, offering insights into patch management discipline.
    • Phishing Simulation Failure Rate: Assesses employee susceptibility to social engineering by measuring click-through rates on simulated phishing campaigns.

    Well-defined KPIs provide a quantitative foundation for justifying cybersecurity investments, reporting to the board, and steering day-to-day decisions.

    KRIs: anticipating risk before it materializes

    While KPIs focus on performance, Key Risk Indicators (KRIs) serve as early warning signals for emerging threats. They are essential for proactive risk management and provide a forward-looking view of potential exposures. The following KRIs can help CISOs identify latent vulnerabilities:

    • Unauthorized devices on the network: A growing number of rogue endpoints may indicate gaps in asset management or policy enforcement.
    • Incident frequency over time: An upward trend in incident volume can signal deeper systemic issues or an expanding attack surface.
    • IT security staff turnover rate: High attrition within security teams can result in knowledge gaps, delays in remediation, and loss of institutional memory.
    • Policy non-compliance rate: Measures the extent to which employees fail to adhere to internal security protocols and standards.
    • Average exposure time to known vulnerabilities: Tracks the time systems remain exposed to publicly known threats, indicating responsiveness to CVEs.

    When integrated into a broader enterprise risk framework, KRIs empower CISOs to make informed trade-offs and prioritize resources effectively.

    Best practices for implementing KPIs and KRIs

    To derive actionable insights and real business value, security leaders should approach metrics strategically. Consider the following implementation best practices:

    1. Align with business objectives
      KPIs and KRIs should reflect organizational priorities, stakeholder expectations, and risk appetite.
    2. Define clear benchmarks and thresholds
      Establish targets, baselines, and escalation points to ensure consistent interpretation and response.
    3. Leverage automation and real-Time dashboards
      Use SIEM, SOAR, and GRC platforms to automate data collection, correlation, and visualization.
    4. Communicate with stakeholders in Business terms
      Translate metrics into operational or financial impact to drive engagement and board-level support.
    5. Continuously review and evolve metrics
      Cyber risk evolves rapidly—your metrics should too. Periodically reassess them based on threat intelligence, audit findings, and strategic shifts.

    Conclusion: metrics as a driver for strategic security

    For CISOs, metrics are more than numbers—they are strategic instruments for visibility, accountability, and influence. When defined and applied correctly, KPIs and KRIs bridge the gap between technical operations and executive strategy, enabling the security function to scale with the business.

    In short, cybersecurity cannot be governed in the dark. It must be measured, optimized, and aligned with the broader goals of the organization. KPIs and KRIs are the compass that allows CISOs to navigate this mission with clarity and purpose.

  • Shift Down in Tech: How Cybersecurity and AI Are Powering Developer Autonomy

    In today’s fast-moving tech landscape, organizations are constantly looking for ways to simplify complexity and empower their teams. One emerging concept that’s gaining momentum is the idea of “shift down” – a cultural and operational shift that brings decision-making and responsibility closer to the teams actually building and running systems.

    While “shift left” has long been a best practice in software development – moving testing, security, and compliance earlier in the lifecycle – shift down takes a different angle. It’s about decentralization: giving product and engineering teams more autonomy, faster access to tools, and direct ownership of tasks that were traditionally siloed in centralized functions.

    But here’s the catch: none of this works without strong cybersecurity foundations.

    Why Cybersecurity Is Key to Shift Down

    Cybersecurity is often seen as a bottleneck. But in a shift down model, it becomes a powerful enabler. Security needs to be built into workflows, not bolted on afterward. That means moving from gatekeeping to enablement – giving teams the tools, guardrails, and guidance they need to work fast and safely.

    This is where modern security-as-a-service principles come in. Think about:

    • Cloud Security Posture Management (CSPM) that automatically flags misconfigurations
    • Secrets detection integrated into CI/CD pipelines
    • Data Loss Prevention (DLP) built into collaboration tools
    • IAM self-service with policy-based access control

    When security platforms are easy to use, self-serve, and developer-friendly, they stop being a blocker and start acting as a force multiplier.

    How AI and Automation Accelerate Shift Down

    Integrating AI tools into security operations is also a game changer. From automated code reviews to intelligent alert triage, AI helps reduce noise, prioritize threats, and speed up security feedback loops. This allows security teams to focus on high-value tasks, while empowering product teams to move forward with confidence.

    Imagine AI models that support real-time threat modeling during design phases, or tools that auto-generate remediation advice directly in pull requests. These aren’t just nice-to-haves anymore – they’re becoming essential components of a modern, scalable security strategy.

    Final Thoughts: Shift Down Is About Trust and Enablement

    To be clear, shift down doesn’t mean less control. It means smarter, distributed control. It means trusting teams, supported by the right tooling and security culture, to make the right calls in real time.

    When cybersecurity is built to enable, not obstruct, it unlocks the full potential of your tech organization: faster releases, fewer bottlenecks, and stronger resilience.

    If your company is exploring new ways to scale safely and efficiently, it might be time to start thinking not just left, but down.

  • How AI is impacting the cybersecurity jobs landscape

    The cybersecurity industry is standing at the precipice of a technological inflection point. Artificial intelligence and automation are no longer aspirational buzzwords—they are redefining operational realities across the digital threat landscape. Among all domains within cybersecurity, the Security Operations Center (SOC) is emerging as the first and most significantly impacted environment. This is not merely a trend, it is an operational inevitability. The traditional SOC model, built around human-driven, round-the-clock monitoring and incident response, is increasingly being replaced by intelligent agents capable of executing these activities with unprecedented speed, scale, and consistency.

    SOCs have long been the tactical backbone of enterprise cybersecurity, responsible for monitoring telemetry, triaging alerts, and executing incident response procedures. However, the daily workload within a SOC is inherently repetitive and heavily reliant on predefined playbooks. These characteristics make it highly susceptible to disruption through automation. The introduction of AI-driven agents, capable of parsing vast datasets, contextualizing threat intelligence, and initiating remediation protocols in real time is fundamentally altering how security operations are performed. The Tier 1 analyst role, traditionally tasked with alert triage and low-level investigation, is already being marginalized as AI systems achieve parity and, in many cases, outperform humans in speed and accuracy. The natural progression will see Tier 2 responsibilities, such as enrichment, correlation, and containment, increasingly delegated to autonomous systems as well.

    This transition is not eliminating the need for cybersecurity professionals; rather, it is redefining the competencies that will be most valuable. Operational roles centered around manual execution are giving way to functions that require system-level thinking, AI model supervision, automation engineering, and strategic response oversight. Analysts who once focused on log analysis and repetitive triage will need to evolve into automation orchestrators and AI supervisors, tasked with training, fine-tuning, and validating the behavior of intelligent agents. The future SOC will be staffed not with alert chasers, but with engineers and cyber strategists managing an ecosystem of autonomous responders.

    From a business perspective, the automation of SOC functions introduces a new operating model centered on resilience, scalability, and cost-efficiency. The ability to respond to threats in milliseconds, independent of human limitations, enhances an organization’s security posture while simultaneously reducing reliance on hard-to-fill human roles. This does not suggest the obsolescence of the human analyst; rather, it underscores the necessity of redefining their purpose within a modernized SOC. Human expertise will be redirected toward validating critical decisions, managing edge-case escalations, and refining the automation logic that powers the AI agents.

    The convergence of AI and automation is not simply changing how SOCs operate, it is setting the stage for a complete realignment of the cybersecurity labor market. As intelligent agents become the first responders in the digital battlefield, cybersecurity professionals must adapt by acquiring new skills, embracing automation-first methodologies, and rethinking their roles within the broader threat management lifecycle. SOC and response automation is not a marginal efficiency gain, it is the first wave of a systemic transformation. Those who invest in upskilling, proactive planning, and strategic adaptation will not only remain relevant but become indispensable in the next generation of cybersecurity operations.