The post The End of Whiteboard Coding: Google to Allow Gemini AI in Software Engineering Interviews appeared first on Daily CyberSecurity.

In a domain still striving for gender parity, Dr. Priyanka Sunder (PD) stands as a compelling example of what two decades of purpose-driven leadership looks like. A multi-award-winning cybersecurity strategist, she has built her career at the intersection of governance, risk, and compliance — navigating Big 4 advisory boardrooms, global regulatory frameworks, and complex digital transformations across nine countries. As Co-founder of CHRIO SecureMojo and a National Cyber Security Scholar, Dr. Sunder brings rare depth to conversations around GRC, cloud security, and enterprise resilience. Her recognitions — including Cybersecurity Leader of the Year 2025, Top CISO 2023 (BFSI), and Global 200 Women Power Leader — reflect not just technical expertise, but a leadership philosophy rooted in empathy, continuous learning, and servant leadership. On the occasion of International Women's Day, we sat down with Dr. Sunder to talk about how cybersecurity governance has evolved, what it takes to build a real security culture inside organizations, and what she would tell women who are just starting out in this field. Read full interview below:

Dr Priyanka Sunder (PD) Interview on Cybersecurity, GRC & Leadership

TCE: On the occasion of International Women's Day, how do you see the role of women evolving in cybersecurity leadership and governance?

Dr. Priyanka Sunder (PD): Women bring unique perspectives that enrich strategy and problem-solving — empathy, patience, determination, and attention to detail are not just soft skills but critical enablers of effective cybersecurity. These qualities help uncover root causes, ensure logical closures of risk remediations, and strengthen decision-making. By turning challenges into opportunities and stepping beyond comfort zones, we build cross-functional skills, foster a One Team culture, and position cybersecurity as a true business enabler. Women leaders excel at servant and situational leadership, building the trust and collaboration that unite teams around common organizational goals — inspiring the next generation to see cybersecurity not just as a career, but as a calling.

TCE: How have you seen GRC evolve in helping organizations manage today's complex threat landscape?

Dr. Priyanka Sunder (PD): When I started as an Information Security Analyst 20 years ago, organizations treated compliance as a "check in the box" exercise. It took over a decade for the shift toward recognizing that cyber hygiene is a fundamental pillar of enterprise resilience. Today, companies understand that compliance is not a one-time effort — it's a moving target. The question is no longer "have you been compromised?" but "how prepared are we, and how fast can we recover?" GRC now plays a critical role through periodic maturity assessments, Information Security scorecards, integrated business continuity testing, and third-party risk management. A strong cybersecurity training and awareness framework — which can reduce 90% of risks from human error — is equally central to that mission.

TCE: How can organizations align multiple compliance frameworks like NIST, ISO 27001, RBI, MAS TRM, and GDPR without impacting operational agility?

Dr. Priyanka Sunder (PD): Throughout my career, I've emphasized secure code development, secure configurations, and hardening baselines as foundational drivers for safely adopting emerging technologies like AI, OT, and cloud. These form the pillars of Security by Design — driving operational excellence while keeping Information Security agile and enabling collective transformation.

TCE: What are the most critical controls organizations should prioritize when securing cloud environments?

Dr. Priyanka Sunder (PD): In the shared responsibility model, organizations must prioritize mitigating vendor dependency, ensuring data localization for jurisdictional compliance, maintaining robust backup strategies, preventing security misconfigurations across containers and storage, and implementing strong key management practices. A phased migration approach, combined with proactively addressing these challenges, helps organizations strengthen cloud security while ensuring smoother transitions.

TCE: What practical strategies can organizations adopt to build a stronger security culture?

Dr. Priyanka Sunder (PD): Strong leadership commitment is the foundation. When management consistently models secure behaviour — using multi-factor authentication, reporting suspicious activity — it signals that cybersecurity is a shared responsibility, not just an IT function. Training must be continuous, engaging, and role-tailored: bite-sized learning, phishing simulations, secure coding workshops, and fraud prevention sessions help employees internalize security practically. Appointing "security champions" within departments fosters collective influence, and employees should feel safe reporting mistakes without fear of blame. Together, leadership buy-in, engaging training, and employee empowerment transform staff into the organization's strongest line of defence.

TCE: What are the most common risk management gaps you observe across enterprises today?

Dr. Priyanka Sunder (PD): Drawing from five years in Big 4 IT Advisory and over a decade in financial services, the most critical gaps I've observed are: absence of robust GRC solutions for effective risk and compliance management, lack of integrated patch management for real-time visibility and timely remediation, and inadequate cybersecurity awareness among employees, vendors, and customers. Other recurring gaps include weak change management, cloud security, access controls, and endpoint security.

TCE: How can cybersecurity leaders better communicate risk posture and investment priorities to executive stakeholders?

Dr. Priyanka Sunder (PD): Business leaders understand numbers and focus on the big picture, so it's imperative to speak their language. Present risk mitigations, GRC benefits, and cybersecurity impacts — financial losses, reputational damage, customer attrition, service disruptions — in quantifiable terms. Quantitative risk assessment models and GRC solutions can articulate the financial impact of control gaps, measurable ROIs, and periodic KRIs and KPIs, giving senior management clear assurance of cybersecurity's true value and supporting informed decision-making.

TCE: What advice would you give aspiring women professionals building careers in GRC and cybersecurity?

Dr. Priyanka Sunder (PD): Turning challenges into opportunities has been a defining theme for me — overcoming bias in the early years, managing burnout during peak career phases, and achieving breakthroughs in recent years. These experiences reinforced my belief that growth can be both intrinsic and extrinsic, lateral and linear. Stepping outside comfort zones fosters cross-functional skill development and cultivates a strong One Team culture. Continuous learning has been central to my own journey, and I encourage women professionals to leverage that same mindset to build resilient, long-term careers in cybersecurity.

In this week’s weekly roundup, The Cyber Express brings together the latest developments in global cybersecurity news, from high-profile ransomware attacks to emerging risks in AI adoption and geopolitical cyber activity.   Organizations worldwide are grappling with a combination of disruptive cyberattacks, espionage campaigns, and ongoing threats to critical infrastructure, reflecting the complex and interconnected nature of today’s threat landscape. Intelligence reports continue to highlight nation-state cyber operations, while companies and governments are recognizing that operational resilience, secure technology adoption, and coordinated defense strategies are essential to managing fast-evolving risks.

The Cyber Express Weekly Roundup 

Human Behavior Remains the Weakest Link 

Cybersecurity experts stress that the most significant vulnerabilities often stem from human behavior rather than technical shortcomings. In a recent discussion covered by The Cyber Express weekly roundup, Dr. Sheeba Armoogum emphasized that modern cyberattacks increasingly exploit trust, emotion, and predictable behavior through techniques like social engineering and AI-driven impersonation. Read more... 

Energy Sector Ransomware: Lessons from 2025 

The energy sector recorded 187 successful ransomware attacks in 2025, demonstrating the real-world consequences of cybercrime on critical infrastructure. Incidents such as Halliburton’s $35 million loss and significant outages in Ukraine revealed vulnerabilities in outdated systems, IT-OT convergence, and slow patching practices. Read more... 

EU Investigates Snapchat for Child Safety 

The European Commission has launched a formal investigation into Snapchat under the Digital Services Act (DSA), examining child protection, privacy, and content moderation practices. Concerns include insufficient age verification, exposure to harmful content, and the accessibility of reporting tools, with potential fines reaching 6% of Snapchat’s global turnover if non-compliance is confirmed. Read more... 

Hackmanac CEO Warns: Cybersecurity Still Fails at the Basics 

Sofia Scozzari, CEO of Hackmanac, emphasized that cybersecurity remains too focused on technology and often overlooks business risk, human behavior, and the operational impact of breaches. She explained that attackers collaborate and exploit known vulnerabilities, while organizations continue to treat cybersecurity as an IT issue rather than a strategic business challenge. Read more... 

Port of Vigo Disrupted by Ransomware 

The Port of Vigo experienced a ransomware attack early Tuesday, shutting down cargo management systems and digital services. Physical port operations remain functional, but manual processes are slowing workflows, particularly at the Border Inspection Post. Authorities confirmed servers linked to the port’s website remain offline as part of containment efforts. Read more... 

Russian Cybercrime Leader Sentenced 

In Detroit, Illya Angelov, head of the Russian cybercriminal group “Mario Kart,” was sentenced for running a botnet operation that infected thousands of computers daily and sold backdoor access to ransomware operators. Active from 2017 to 2021, the scheme targeted 72 U.S. companies across 31 states, sending 700,000 malware-laden emails daily and compromising roughly 3,000 systems each day. Read more... 

Crunchyroll Cyberattack Highlights Outsourced Risk 

Crunchyroll confirmed a cyber incident linked to a third-party vendor, likely affecting customer service ticket data. There is no evidence of ongoing access to internal systems, though early reports suggest a threat actor may have gained access through an infected vendor device. Read more... 

Weekly Takeaway 

This week’s weekly roundup highlights the growing complexity of the global cybersecurity landscape. From critical supply chain disruptions and challenges in AI governance to ransomware attacks, escalating geopolitical cyber threats, and vulnerabilities in third-party systems, organizations face an increasingly interconnected and high-stakes risk environment. To navigate these threats effectively, companies must prioritize human-centric security practices, enforce proactive governance frameworks, and implement continuous monitoring across all systems. Only through a strategic, multi-layered approach can organizations stay ahead in today’s hostile and fast-evolving digital ecosystem.

The author of a new book on surveillance discusses how an upcoming Supreme Court case could limit what data police can dig up showing individuals’ locations.

What if the biggest vulnerability in your security system isn't a line of code — it's a person? That's the question driving one of cybersecurity's most compelling thinkers today. In this exclusive Dr. Sheeba Armoogum interview, we sit down with the Associate Professor in Cybersecurity at the University of Mauritius — a researcher, author, and strategist whose work spans AI-driven threat detection, digital forensics, cyberpsychology, and quantum security.

With over two decades of experience across academia, research, and industry, Dr. Sheeba Armoogum has built a reputation for asking the questions others overlook.

What happens to your digital identity after you die? Why do technically sound systems still get breached? And why does cybersecurity still struggle to include the very diversity of thinking it desperately needs?

Her recently published book, Digital Afterlife: A Global Framework for Law, Technology and Victim Justice, is already reshaping conversations around digital legacy and governance, a field most security professionals haven't even begun to map.

From the psychology behind cyberattacks to ethical AI design, from mentoring the next generation of women in cybersecurity to building systems that are not just intelligent but accountable — Dr. Sheeba Armoogum doesn't just defend networks. She defends trust.

Read on full Dr. Sheeba Armoogum interview:

Dr. Sheeba Armoogum Interview on Women, Leadership, and Structural Change

TCE: You have worked across academia, research, and industry for over two decades. What first inspired you to pursue cybersecurity, and how has your journey evolved over the years?

Dr. Sheeba Armoogum: My journey into cybersecurity did not begin with a grand plan. It started with curiosity — an urge to understand how systems think, respond, and connect to the world. This fascination also led me to a realisation: as we became more interconnected, our vulnerability increased. I saw how easily systems could be compromised and how breaches affected not just data but people's finances, privacy, and sense of security. Cybersecurity transformed from a technical field into a deeply human concern. My doctoral research marked a significant turning point. It encouraged me to rethink not only how we block known threats but also how to build systems that can adapt, learn, and evolve. As my work progressed, I explored how AI could detect patterns humans might overlook, how digital forensics could protect justice, how cyberpsychology could explain why people become victims of manipulation, and how quantum cybersecurity could redefine what 'secure' truly means. Today, I no longer see cybersecurity merely as protecting infrastructure. I consider it as safeguarding trust.

TCE: Cybersecurity is constantly evolving with AI, quantum technologies, and digital forensics. Which emerging area do you believe will most reshape the future of cyber defense?

Dr. Sheeba Armoogum: Artificial Intelligence will transform cyber defense in ways we're only beginning to understand. Historically, security has been reactive: an attack occurs, a signature is created, and a patch is released. We are now shifting towards an era where systems must anticipate threats proactively. What excites me is the ability of AI-driven systems to detect subtle behavioural changes — minor anomalies potentially indicating an early breach before any damage occurs. At the same time, I remain cautious. When AI systems operate as black boxes, making decisions that even their creators can't fully explain, we face a different kind of vulnerability. Security architectures should be intelligent, yet also auditable, transparent, and ethically aligned. I envision systems that safeguard not only networks but also public confidence. Ultimately, cyber defence revolves around maintaining trust within a digital society.

TCE: As a global advocate for innovation and research, what are the biggest challenges women still face in cybersecurity, especially in leadership and technical research roles?

Dr. Sheeba Armoogum: While progress is visible, it is not yet deeply rooted structurally. More women are joining the field, but just entering the profession doesn't equate to having influence. Many women begin in operational or support roles, but fewer hold positions in advanced areas like algorithmic research, secure systems architecture, or strategic advisory roles where long-term security decisions are made. A subtle issue lies in how credibility is perceived. Women often need to repeatedly demonstrate their expertise before receiving recognition. Addressing this cannot depend only on encouragement — it demands institutional maturity, with deliberate access to fair research funding, structured doctoral mentorship, and inclusion in international research consortia. Representation in patent development, standards committees, and strategic innovation boards shapes the future of the field. Cybersecurity depends on diverse thinking, and when leadership includes a variety of experiences, overall resilience improves.

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

TCE: This year's Women's Day theme focuses on "Give to Gain." What does this idea mean to you in the context of mentoring and empowering the next generation of women in cybersecurity?

Dr. Sheeba Armoogum: For me, "Give to Gain" reflects how cybersecurity operates in reality. No system is completely secure by itself — resilience requires a collective effort, and sharing knowledge strengthens protection. I now see mentorship as more than generosity; it's a strategic investment in future stability. When young researchers are entrusted with complex algorithmic challenges or guided in ethical AI design, they are not merely acquiring knowledge; they are becoming integral to the next line of defence. When expertise is limited to a few individuals, systems become more fragile. When knowledge is shared thoughtfully, ecosystems are strengthened. In cybersecurity, giving is not a loss. It is multiplication.

TCE: You lead and mentor doctoral researchers through your CyberSecurity & Forensics Research initiatives. What are three practical steps organizations can take to encourage more women to enter advanced cybersecurity research?

Dr. Sheeba Armoogum: Our strategy should extend beyond motivational messages. First, organizations must establish well-defined, funded pathways into high-impact technical disciplines — opportunities in AI-based intrusion detection, quantum-safe cryptography, or advanced digital forensics need to be deliberately made accessible, making women integral contributors at the foundational level. Second, exposure plays a crucial role. True confidence is gained through hands-on experience — working in AI labs, contributing to secure system designs, or analysing real forensic datasets builds both technical skills and intellectual authority. Third, visibility holds significant influence. When women lead keynote technical sessions, showcase new algorithms, or participate in standards committees, it signals that leadership is not exceptional; it is normal. Aspiration is shaped by what appears achievable.

TCE: Your recent book, Digital Afterlife: A Global Framework for Law, Technology and Victim Justice, explores an important emerging topic. What inspired you to write it, and why is digital legacy becoming a critical cybersecurity and policy concern?

Dr. Sheeba Armoogum: Digital Afterlife originated from a recurring question: what happens to our digital footprint when we're gone? Cybersecurity conversations focus on breaches and encryption but often overlook what remains — digital identities, intellectual property, cloud storage, social media profiles, and AI models trained on personal information. Our legal and governance frameworks lag behind. When someone passes away, their digital footprints don't disappear; they persist. Families are left managing passwords, privacy policies, and legal uncertainties during moments of grief. Digital legacy has shifted from a philosophical concern to a practical security issue. Dormant accounts can be exploited for identity theft, unmanaged digital wallets are vulnerable, and research data may become compromised. The book provides a framework combining law, cybersecurity protocols, platform governance, and victim justice. Managing digital afterlife is not optional — it is an increasingly important responsibility. Safeguarding dignity must go beyond simply protecting life.

TCE: From a cybersecurity and digital forensics perspective, what should individuals and organizations start doing today to better manage digital footprints and digital assets after death?

Dr. Sheeba Armoogum: A significant part of our value — personal, intellectual, or economic — resides digitally. Individuals must treat digital assets with the same importance as physical property: online accounts, intellectual property, research data, digital wallets, and professional platforms all need to be accounted for. Estate planning now needs to include digital credentials and instructions — documenting digital footprints, clarifying data intentions, and ensuring lawful, secure transfer of access. Organizations share a similar responsibility. They should proactively create access procedures, developing structured data governance policies, clear transfer protocols, and memorialisation frameworks in advance. Without proactive planning, digital remnants can lead to identity theft, internal disputes, or legal issues. Cybersecurity must now focus on lifecycle management, understanding that digital systems outlive individuals, and governance should be structured to reflect this.

TCE: You work at the intersection of AI, cybersecurity, and cyberpsychology. How do you see human behavior influencing future cyber threats and defense strategies?

Dr. Sheeba Armoogum: Cyber threats now mainly target individuals rather than systems. The key vulnerability is often psychological. Social engineering is about manipulating trust. AI-generated impersonations sound convincing because they replicate familiarity. Sextortion tactics rely on fear and shame, while misinformation campaigns exploit biases and emotional reactions. Attackers analyse behaviour as carefully as they inspect infrastructure. This is why relying solely on technical security measures is insufficient. Cyber resilience must extend beyond architecture to include behavioural science, digital literacy, and psychological awareness. Analysing why people become victims reveals recurring patterns — emotional triggers, situational stress, and social influences. Recognising these patterns helps develop more effective training and awareness campaigns. Protecting systems depends on understanding people.

TCE: As both a CIO/CISO-level strategist and academic leader, how do you balance technical innovation with ethical responsibility, especially in AI-driven security environments?

Dr. Sheeba Armoogum: Every intelligent system makes decisions, but the key questions are whether those decisions are understandable, auditable, and justifiable. Bias auditing, explainability, and traceability are not mere administrative tasks; they are essential safeguards. Without them, there is a risk of embedding hidden biases or opaque processes into security systems. In high-stakes environments, there's often a push toward speed — but prioritising quick results without ethical oversight causes long-term instability. A system that functions well but isn't accountable will eventually erode trust. I do not see ethics as a barrier to innovation but as a means of stabilising the structure. Responsible innovation guarantees that as our systems grow more intelligent, they stay fair, transparent, and justifiable.

TCE: What advice would you give to young women aspiring to build impactful careers in cybersecurity, particularly those who may feel intimidated by the technical depth of the field?

Dr. Sheeba Armoogum: Take both the field and yourself seriously. Begin by mastering the fundamentals — understand how data moves through networks, how encryption protects information, and how AI models learn. A strong foundation naturally boosts confidence. Start exploring early, even if it feels overwhelming. Genuine progress happens when you apply theory to real-world challenges: designing, building, testing, and sometimes failing before achieving success. Do not let technical intimidation take over. True expertise is based on understanding, not volume. What truly matters in cybersecurity is competence, curiosity, and courage — the willingness to ask difficult questions and challenge assumptions. Your perspective is not just an addition to the field; it is vital to its development. Diversity in thinking improves architecture, refines threat modelling, and drives innovation. Your contribution is not minor; it is crucial.

In this Sofia Scozzari interview with TCE, the Hackmanac CEO offers a grounded look at how today’s cyber threat landscape is evolving, and where organisations are still falling short. Drawing from her experience tracking real-world cyberattacks globally, Scozzari moves the conversation beyond tools and technology to focus on impact, decision-making, and preparedness. She describes a threat environment where attackers are constantly adapting, collaborating, and scaling their operations, while many organisations continue to treat cybersecurity as a technical function rather than a business risk. The result is a widening gap between how threats operate and how they are managed. In this Sofia Scozzari interview, she also reflects on recurring patterns, from known vulnerabilities being repeatedly exploited to the continued underestimation of human behaviour in security incidents. Her insights point to a clear need for stronger alignment between cybersecurity strategy and business priorities.

Here’s what she shared:

Sofia Scozzari Interview: Why Cybersecurity Must Move Beyond Technology

TCE: If you had to explain today’s cyber threat landscape using a real-world analogy (outside of technology), what would it be—and why?

Sofia Scozzari: I often describe the current cyber threat landscape as being like walking inside a beehive. If we haven’t been stung yet, we will be in the future. Threat actors constantly evolve, adapting to technological innovations, geopolitical shifts, and trending topics. They collaborate, specialize, and operate with “as-a-service” models that make offensive capabilities scalable and accessible. In contrast, defenders often act in isolation and hesitate to openly share incidents, which unintentionally preserves the attacker’s advantage. The result is a structural asymmetry between offense and defence, with offense taking advantage of collaboration. Even with the perfect defence strategy, we should assume exposure and breach are inevitable. The real strategic question is not "if," but rather how prepared we are when it happens. Just as biological systems develop resilience through collective immunity, cybersecurity requires structured information sharing and awareness to rebalance the attack–defence equation.

TCE: You’ve spent years analyzing cyberattacks globally through Hackmanac. What is one common assumption about cyber threats that you believe is completely misunderstood?

Sofia Scozzari: In my opinion, the most misunderstood assumption is that cybersecurity is exclusively a technical issue, a subset of IT, often resulting in a fraction of a company’s IT budget. Today, cyberattacks can disrupt far more than technological systems, affecting core business assets, operations, reputation, and even endanger human lives, as in healthcare, connected medical devices, or electric vehicles. Cyber risk extends beyond technology and has evolved into a strategic business risk. Therefore, it should be governed accordingly.

TCE: Looking back at your career journey, was there a single moment or decision that quietly changed your direction in cybersecurity? What did it teach you?

Sofia Scozzari: Looking back, the turning point in my career was my decision to leave traditional consulting and corporate roles to build my own company. This choice gave me the flexibility to determine how to intervene and effect change in the consideration and management of cybersecurity. After studying the problem more deeply, I realized that most cybersecurity decisions are mistakenly based on the volume of attacks (and not always the ones that really matter) rather than their impact. For this reason, we focus specifically on successful cyberattacks (an indication of where defences failed) and impacts (operational, financial, reputational consequences), providing executives and managers with precise, actionable strategic insight to guide cyber risk management.

TCE: In threat intelligence, patterns often repeat. Have you noticed any “cyber déjà vu” moments where organizations keep making the same mistakes despite better tools?

Sofia Scozzari: One recurring pattern in cybersecurity is the continued exploitation of known vulnerabilities. While it may be easy to interpret this as simple organizational negligence, the reality is that many companies operate highly complex environments built on legacy systems or mission-critical software certified only for specific versions. Updating these systems can introduce operational risk, making patch management far more challenging than it appears from the outside. The root cause, however, goes deeper: security by design is still not consistently embedded in the development process of systems, software, and applications. Instead, security is often treated as an additional layer applied after deployment rather than integrated from the outset. Moreover, unlike manufacturers of physical products, software vendors rarely face direct legal consequences when vulnerabilities in their products are exploited. The burden of mitigation largely falls on the end user, resulting in frequent preventable breaches.

TCE: Cybersecurity is often seen as highly technical, yet much of it is about human behavior. What human factor do you think organizations still underestimate the most?

Sofia Scozzari: Cybersecurity is often framed as a technological issue, which naturally drives attention toward software, infrastructure, and technical controls, underestimating the human factor. Consequently, a significant portion of compromises still originate from human interaction: credential misuse, poor security hygiene, insider risk, or simple misjudgement under pressure. Attackers understand this very well, which is why phishing and social engineering remain effective entry points. On the other hand, cybersecurity awareness among collaborators, including employees, consultants, and suppliers— is often overlooked as a key component of an effective cybersecurity defence strategy.

TCE: As a founder and leader, how do you personally stay ahead of constant change without getting overwhelmed by the speed of the cybersecurity industry?

 Sofia Scozzari: I genuinely love cybersecurity because it evolves constantly: in this field, boredom is impossible. Continuous change forces you to think out of the box and to focus on the bigger picture rather than isolated details. In my role especially, understanding how technology, geopolitics, business dynamics, and human behaviour intersect is far more important than concentrating on a single technical dimension. I also don’t believe that stepping away, even temporarily, means falling behind permanently. Throughout my career, I’ve taken pauses — sometimes by choice, sometimes not — and each time I returned with broader perspective and stronger judgment. Soft skills such as adaptability, critical thinking, and strategic vision are just as important as technical expertise in cybersecurity field. Equally important is maintaining a healthy balance between professional and personal life. For this reason, at Hackmanac we have chosen to work fully remotely, enabling flexibility and trust within the team.

Also Read: Top 50 Women Leaders in Cybersecurity to Watch in 2026

TCE: On International Women’s Day, many conversations focus on representation. From your experience, what truly helps women stay and grow in cybersecurity—not just enter the field?

Sofia Scozzari: I strongly believe that cybersecurity, as a profession, has no gender. The perception that it is male-dominated field is largely rooted in cultural conditioning. Many young women grow up internalizing the idea that they are less suited for technical subjects and are not always encouraged to pursue STEM paths. In reality, there are no inherent barriers. I personally know several extraordinary women in cybersecurity who bring passion, creativity, expertise, and talent to the field. Three factors truly help women grow in cybersecurity: early encouragement, inclusive environments (not only related to gender), and a strong focus on competence. First, early encouragement is important for students to choose their academic and future career paths. They should consider cybersecurity because it is a fast-growing industry with huge global demand, a meaningful impact, and strong long-term career prospects. Second, we must highlight the diversity of roles within cybersecurity. The field is not limited to highly technical positions. Legal, compliance, risk management, communications, strategy, and business roles are also essential. This makes the industry accessible to professionals from varied backgrounds who may wish to pursue a change in their careers. Finally, my advice for women already in the field is simple: focus on competence and results. Although challenges and biases may exist, sustained professionalism, expertise, and consistency build credibility over time. Cybersecurity needs diversity, not just for representation, but because complex global challenges require diverse perspectives.

TCE: The theme of our initiative is “Give to Gain.” What is one piece of knowledge or opportunity you received in your career that you now consciously pass forward?

Sofia Scozzari: One of the most valuable gifts I received in my career was trust. I was just a curious young girl looking into computers and learning how to assemble them. I was supported and encouraged to pursue that curiosity. Much of what I learned came more from hands-on experience rather than from formal education. I was fortunate to study in inclusive environments focused on preparing capable IT professionals, and equally fortunate to move across diverse roles — from system administrator to IT consultant, project manager, presales, and cybersecurity manager. Each transition expanded my perspective and forced me out of my comfort zone. What I consciously pass forward is that same encouragement: do not fear stepping beyond what feels familiar. Growth rarely happens inside comfort. I encourage professionals — especially younger ones — to focus less on self-doubt and more on how they can create value in any context, leveraging both technical expertise and soft skills, expertise and passion.

TCE: If you could redesign how organizations approach cybersecurity from scratch—without legacy systems or old processes—what would you do differently first?

Sofia Scozzari: If I could redesign how organizations approach cybersecurity from scratch, I would start by rethinking their decision-making structures. Currently, cybersecurity is often evaluated based on compliance checklists, budget constraints, or emergencies. Rarely is it fully integrated into strategic planning, performance metrics, or executive accountability. I would embed cyber risk directly into core business KPIs, forcing a reevaluation of budget allocation. This would enable security to influence product design, supply chain selection, partnerships, and investment decisions. Finally, I would ensure that security intelligence is continuously translated into board-level language. Leaders who don't usually receive technical alerts should at least receive strategic insights related to business exposure and impact to fully understand and manage their company's specific threat scenario.

Rep. Darin LaHood (R-IL) talked about recent issues that have cropped up around Section 702 and what needs to be done to get a renewal over the finish line.

In an era where cyber threats, geopolitical tensions, and physical security risks increasingly overlap, resilience has become central to how organizations and governments approach security. Few people have worked as actively to connect these conversations across borders and disciplines as Bonnie Butlin, co-founder and executive director of the Security Partners' Forum. Over the past decade, Butlin has helped build international networks that bring together professionals from across the security and resilience ecosystem—from corporate security leaders and policymakers to educators and emerging professionals. Through initiatives such as the Canadian Security Executive Forum and the Women in Security & Resilience Alliance, she has focused on breaking down silos in the industry while creating new pathways for collaboration, leadership, and mentorship. In this conversation, Butlin discusses the evolving nature of global risk, the growing importance of resilience in an increasingly complex threat landscape, and why collaboration remains one of the most powerful tools in modern security. Read the full interview excerpt below.

Bonnie Butlin on Why Modern Security Requires Global Cooperation

TCE: Our Women’s Day theme this year is “Give to Gain.” What does this theme mean to you personally and professionally?

Bonnie Butlin: I have always been passionate about security. It is more than a career to me; rather, something of a calling. Contributing to more secure and resilient communities doesn’t just benefit security professionals themselves, but also the families and societies they live in. Additionally, so much of the work that is done in professional security is done through associations, which rely on professionals and members to “Give to Gain”. Whether individually or collectively, this theme is relevant for security and resilience.

TCE: Can you share a moment in your career where supporting or mentoring others also helped shape your own growth as a leader?

Bonnie Butlin: My career trajectory seems too unconventional for traditional mentoring.  I prefer to take more of a strategic and structural approach. Understanding the structure and flow of the whole profession to help build capacity and connectivity, and create more points for people to enter, progress and move within security, will enable others to bring their own contributions to security and resilience. I often hear from women – especially at awards events – that they were mentored or had supportive spouses, which enabled them to succeed. Not everyone has the fortune of knowing the right person at the right time or having a strong support system. Strategically easing the friction points within the system as a whole, and growing networks, such as the Security Partners’ Forum (SPF), may help those without supports move more easily into and within the profession.

TCE: You have built international platforms connecting professionals across security and resilience. What gap did you see in the industry that led to the creation of the Security Partners’ Forum?

Bonnie Butlin: One of the biggest problems were the silos and lack of interconnectivity among disciplines and associations in security and resilience. While threats were becoming increasingly complex and interconnected, security experts and associations were often not communicating or even aware of each other. By connecting them, we were able to build an international network of security and resilience professionals and bodies. By interacting and learning from each other, problem solving was accelerated and the network expanded without reinventing the wheel or experiencing problems already encountered by others.

TCE: Security today spans cyber, physical, and geopolitical risks. How do you see the concept of “resilience” evolving for organizations?

Bonnie Butlin: The international power structures are being re-ordered, the great powers are competing at the grand-strategic level, legal frameworks and alliances are being strained, and ground rules are changing. This presents formidable challenges for organizations that operate at the strategic level at best, but are striving to be resilient. These conditions and trends also create gaps, seams and chaotic conditions in which complex threats can thrive and take advantage – and often do at scale. This is pushing the boundaries of professional security and resilience, and under compressed timelines, which may drive resilience innovation out of necessity, but with increased funding to fuel it.

TCE: Over your career in security and international affairs, what has been the most significant shift in how organizations approach risk?

Bonnie Butlin: I am noticing, particularly in recent years, a sea change in risk tolerance, including even a bifurcation in risk tolerance. At one end of the spectrum, ‘zero risk’ was introduced as a concept (e.g. locking down economies to prevent even one pandemic death), while at the other end of the spectrum ‘absolute risk’ acceptance (e.g. the possibility of nuclear war, which would not have been so easily accepted previously).  This bifurcation between absolute risk intolerance and absolute risk acceptance is not consistent with traditional security models and experience, yet has been appearing in recent years, almost without question. This may signal a change in the Western ‘way of war’.

TCE: You work closely with leaders across multiple countries. How important is global cooperation in addressing modern security threats?

Bonnie Butlin: Threats are becoming more complex, interconnected and potent, and in some cases collaborate transnationally and even in collaboration with states. The mass injections of money into the international system during the pandemic almost certainly fuelled threat groups at scale, unintentionally. The current wars, great power grand-strategic competition and international re-ordering currently underway, offers even greater opportunities for complex and significant threats.  Combatting international, empowered, and collaborative threats, while states and regions are at war, re-ordering international systems, and while traditional state and regional alliances are strained, will be exceptionally difficult - even more so without international cooperation on the security and law enforcement fronts.

Managing both conflict and cooperation among states will be a fine line in the current context, as threat groups operate relatively unrestrained.

TCE: The security industry is gradually seeing more women step into leadership roles. What changes still need to happen to accelerate this progress?

Bonnie Butlin: In the current global and economic contexts, jobs are becoming scarce and more competitive, often requiring the latest education and skills. I am deeply concerned about ageism and career disruptions, both for women and men. Longer-run focus on and flexible commitment to existing employees and cohorts may help accelerate women’s access to leadership roles and prevent permanent loss of talent from the workforce.

Cohort diversity can enhance mentoring and build opportunities all the way up the career ladder, while retaining experience and knowledge within the organization and security and resilience professions.

It can also capture talent from other sectors and disciplines, and recapture lost talent, experience and knowledge resulting from career disruptions or organizational change and lay-offs.

TCE: With rapid technological advancement, what emerging risks should security leaders start preparing for today?

Bonnie Butlin: Emerging risks to consider may include: First, setting an appropriate risk tolerance for an organization, in relation to technology adoption (especially AI), to get the right balance between under- and over-reliance on, and confidence in, new technology. Second, building an appropriate security and resilience posture against, for example, catastrophic attacks on critical infrastructure. This is particularly important as low probability, but high impact events (such as wartime attacks), are becoming more likely; and as fintech, drone technology, and newly unveiled experimental weaponry are playing new and prominent roles in conflict. Traditional threat assessment models and methodologies may have to be adapted. Third, the risk of government or organization overreach in terms of data access and surveillance - enabled by technology that is itself being super-funded and channeled in the context of great power grand-strategic competition and conflict, evolving privacy and legal landscapes, and more frequent appeals to national security necessity.

TCE: What skills or mindset shifts are most important for young professionals—especially women—entering the security and resilience field?

Bonnie Butlin: The issue may be structural, and young professionals may benefit from understanding trends and pressures. The preference for specialists vs. generalists in the workplace has oscillated over time. With technology advancing more rapidly than ever, the preference may be trending toward an extreme - ultra-specialization – which may itself have limitations. The recent mass tech lay-offs, in part, reflected substituting a programmer workforce with an AI workforce, rather than retraining/adapting existing employees. This substitution approach may make the tech sector more precarious for workers, especially older and more established workers, while education, training and up-skilling become more onerous.

Over time, this (substitution approach) may reduce the sector’s desirability for new entrants, may increase burnout risk in the profession, and will likely make long-run career planning more difficult.

Selecting and navigating an entire career trajectory from the outset may become even more difficult, whereas choosing an ultra-specialty in the short-run may be relatively easier. That said, the trend may eventually shift back to a preference for a more generalist and adaptable workforce, particularly if there is social pressure on the sector after a prolonged period of instability in the global economy, persistent career disruptions, and downward pressure on global workforce mobility.

TCE: What advice would you give to organizations looking to build stronger and more inclusive security leadership teams?

Bonnie Butlin: Organizations might consider, where possible, longer-run loyalty to, and investment in employees and their progression and growth - including with training, up-skilling opportunities, and mentoring. This may be strategically sound, particularly if the initial enthusiasm for AI wanes. Even if ultra-specialization continues to be preferred, promoting a more balanced workforce, across cohorts and time, may be beneficial. Balancing newly graduated and younger hires with older cohorts, employees re-entering the workforce after career disruptions and employees newly entering the tech space after previous careers in other sectors or specialties, will likely build more balanced workforces, with diverse thinking and experience, especially over time. This broader net in terms of experience and background may yield better and more nuanced result for communities and societies.

Cybersecurity leadership today looks very different from what it did a decade ago. As organizations accelerate digital transformation, the role of the Chief Information Security Officer (CISO) has expanded far beyond protecting systems. Today’s security leaders are expected to balance cyber risk management, business priorities, and regulatory demands—often across multiple industries and global markets. Hannah Suarez represents this evolving generation of cybersecurity leaders. As the CISO at Loyalty Status and the owner of Superuser OÜ and Citadel Byte Information Technology, she brings a rare blend of enterprise security experience and startup agility. Having worked across several industries—including telecommunications, aviation, and software startups—and across multiple international markets, Hannah understands that effective cyber risk management is not just about compliance frameworks. It starts with understanding the business, the technology behind it, and the risks that come with rapid innovation. As part of The Cyber Express’ Women in Cybersecurity series, we are dedicating the month of March to conversations with women shaping the future of cybersecurity. Throughout the month, we will be featuring interviews with security leaders from across the world who are driving change in areas such as cyber risk management, cloud security, governance, and leadership. In this conversation, Hannah shares her perspective on navigating cloud security responsibilities, avoiding compliance fatigue across multiple cybersecurity frameworks, and why supply chain vulnerabilities remain one of the most urgent challenges for organizations today. Below is the full conversation with Hannah Suarez.

Cyber Risk Management Insights from CISO Hannah Suarez

TCE: You have led cybersecurity and compliance programs across multiple industries, including telecommunications, aviation, and software startups. How does the approach to cyber risk management differ between fast-growing startups and more established enterprises?

Hannah: One of the key, obvious, differentiators is the approach to risk.  Startups willing to absorb or delay risk treatment in favor of risk acceptance to grow is one example.  Also, even if this is the approach for a startup that has to show itself as secure to enterprise, you can still wrap it in an ISO framework and have it in the ISMS so there is an actual approach.

TCE: With organizations increasingly adopting cloud-first strategies, what are the most common cloud security gaps you observe today, and how can CISOs address them proactively?

Hannah: First is to differentiate exactly what model is this when it comes to ownership and operations.  For example, you onboard a new application which is on cloud (such as Salesforce) and from there determine if there is compliance responsibility by the operator or if it is entirely on the company.  Or, we could be referencing to operating a software that is managed by an operator on cloud (AWS, GCP, Azure).  Or we could be talking about private cloud hosted instead. From there on, the layers become complex as you try to determine responsibility and ownership.  Which components are going to be shared responsibility to operate, which components are not, and so on. Therefore, I find that a lot of time gets invested in trying to understand the solution first and why the business is heading into that direction by talking to the relevant stakeholders. I could really go on in more detail about cloud security in third party management, but the overall basis is who owns and who is responsible.

TCE: You have worked extensively with frameworks such as ISO, NIST, CIS, SOC, and SOX. How should organizations prioritize these frameworks without creating compliance fatigue?

Hannah: The problem is being framework-only.  For example, why would one cite a NIST guideline from their cybersecurity framework if this isn’t relevant in the ISMS?  So the challenge is to try to come back to the business first and then from there determine what should be prioritized.  Coming back to the business involves applying risk management, since you also have to understand the responsibility of implementing and owning the risk. It doesn’t mean that you are limited to just one framework only – i.e only follow ISO, or only follow NIST, etc.  I did an exercise of going through multiple guidelines and frameworks to see what the information is on supply chain management lifecycle on a holistic view, then went into the detailed for specific components of it (onboarding, offloading, etc) that is more suitable to the current business process.

TCE: From your experience presenting to boards and executive teams, how can cybersecurity leaders better translate technical risks into business impact?

Hannah: You differentiate who is responsible, is it the business owner, the system owner, the risk owner, the contract owner. And adjust.

TCE: Having worked across diverse global markets, how do regional regulatory environments influence cybersecurity strategy and risk governance?

Hannah: It is dependent on recognising ownership of what applicable laws and regulations apply within the entire data flow or process flow. Therefore I start on the contractual component and work my way to how it is impacting the ISMS and then applying the ISMS.

TCE: As cyber threats continue to evolve, which emerging risk areas—such as AI-driven attacks or supply chain vulnerabilities—do you believe organizations should prepare for most urgently?

Hannah: Something that is a thorn for organizations that has undergone massive digital transformation is supply chain vulnerabilities. Addressing this is going to be at the core of addressing the more specialized topics, like AI-driven attacks. For example, you onboard new suppliers for a process that is required to use and store highly regulated commercial data, or highly sensitive data (such as, biometrics like voice analysis). This new system then announces their intention to use data for their AI models.  What next?

TCE: You have a strong background in building security maturity for organizations. What are the first three practical steps companies should take to strengthen their security posture in 2026?

Hannah: Have executive management involvement across the business. Understand the business and why it is going in a certain direction like my answer previously on frameworks. Understand the components (vendors, suppliers, operators) that make up the business (like my answer previously on cloud).

TCE: As someone with an entrepreneurial mindset and experience across startups, how can cybersecurity enable business growth rather than being seen only as a compliance requirement?

Hannah: For startups, one of the issues that they face is building trust with enterprises. And compliance programs (be it ISO 27001, data protection management programs, etc) are important to establish this.  Not just for the objective third party view from an auditor, but also for the day to day running of the business. A lot of the enablement, without things devolving into some compliance checkbox, is for the startup to learn more about risk management – not just thje TARA framework (Transfer, Accept, Reduce, Avoid) but to also get to ways that they don’t seek permission to do risk analysis, all the time.  For this, it is risk exploitation which is to be able to seize opportunities first, then working on the TARA method later. It is more like the saying “ask for forgiveness later” in which the later part is to conduct the risk analysis later.  Or the other way of saying is to accept first, then analyse later.

TCE: On the occasion of International Women’s Day, what key actions can organizations take to create more inclusive and supportive environments for women in cybersecurity?

Hannah: Community is very important.  As someone who has moved in several countries (with the UAE as my seventh), one of the things that you do is to find ways to try to ground yourself in a new community.  This was very much evident in the UAE through initiatives for women in cyber security, and also being in other groups for women in technology that I am a part of for the wider GCC area.  Organizations can choose to take part in more of these initiatives, or at least encourage and empower their employees to participate.

TCE: What advice would you offer to young women aspiring to build leadership careers in cybersecurity, particularly in areas like risk management and compliance?

Hannah: In the beginning, I was working as a system administrator for a software company.  We had customers that needed to configure specific components to make it compliant (such as, using FIPS cryptographic modules). In the end, I ended up learning more about these frameworks. When I pivoted more towards auditing and implementing ISMS for enterprises and organizations, the focus was less on the technical and being super specialized in it, and more on the business side and finding ways to get the business to reach and maintain compliance. Having background in the two, I find, has been a valuable perspective to work in this area.

Conclusion

Hannah Suarez’s perspective is a reminder that cyber risk management is not just about frameworks or compliance checklists. At its core, it is about understanding how a business operates, who owns the risk, and how security decisions affect the organization as a whole. From navigating cloud security responsibilities to addressing growing supply chain vulnerabilities, Hannah emphasizes that security leaders must first understand the direction of the business before building controls around it. Only then can cybersecurity move beyond enforcement and become part of how organizations operate and grow. Her journey also highlights the importance of community and mentorship, particularly for women in cybersecurity who are building leadership roles across the industry. As organizations continue to evolve digitally, the challenge for CISOs will be balancing innovation with responsible cyber risk management. As Hannah suggests throughout this conversation, the starting point remains simple: understand the business, understand the risk, and build security programs that support both.