Insights from Harvey Nash CIO Voices
Cybersecurity isn’t just a technical concern anymore. It’s a leadership challenge, a business enabler, and, frankly, a nightly stressor for many executives. Harvey Nash’s CIO Voices, our monthly spotlight series, brings together tech leaders shaping the digital future, and this month we delve into what truly means to lead in the age of cyber threats.
But first, a thank you to our contributors - Chris Logan VP Information Security at DCU - Digital Federal Credit Union, Darren Remblence CISO at 8x8, Sammy Basu CISO at Careful Security, Roberto Galdamez CISO at Kovack Financial Network, and Roberto Rubiano CISO at Osigu. Their candid insights highlight how leaders are navigating risk, embracing AI, and turning cybersecurity from a checkbox into a strategic advantage.
So, what does cybersecurity as a leadership imperative really look like? Let’s unpack it.
What Keeps Board Up at Night: Evolving Threats and Boardroom Concerns
Let’s start with the obvious: what keeps tech leaders awake at night? For Roberto Galdamez, it’s the rise of AI-driven threats and a constantly evolving regulatory landscape. “Compliance is a given,” he notes, “but what truly matters to the board are resilience, trust, and reputation.”
Meanwhile, Roberto Rubiano offers a surprising perspective: he sleeps well because he accepts what he can’t control. “I can only manage the risk and communicate what’s critical to C-level management,” he says. This isn’t complacency, it’s clarity. Rubiano also warns about the risks of developers using AI tools to generate code - by-coding practices. These innovations offer speed but carry hidden risks, demanding ongoing awareness and vigilance.
Sammy Basu echoes a nuanced point “Cybersecurity is an evolving puzzle. Endpoint security, firewalls, compliance certifications are essential, but their effectiveness depends on ongoing assessment and evaluation.”
Here’s the thing: cybersecurity today is like steering a ship through unpredictable waters. You can’t control the waves, but with the right preparations, you can navigate safely.
Moving Beyond Compliance: Cybersecurity as a Strategic Business Driver
Traditionally, cybersecurity was seen as a “tick-box” exercise mainly to satisfy ISO certifications, audit reports, compliance checklists. Today, leaders like Darren Remblence and Chris Logan insist that it must go deeper. “It’s about embedding cybersecurity into business strategy,” Darren says, emphasizing that risk management and regulatory compliance can also enable growth.
Rubiano provides a tangible example: when explaining ransomware risk to the board, he translates technical threats into financial terms. “If a ransomware attack could cost $3 million, spending $500,000 on prevention becomes an easy conversation,” he explains. It’s simple, relatable, and effective; suddenly cybersecurity is not a cost center, but a strategic investment.
Similarly, Sammy Basu highlights a holistic approach. Compliance isn’t an end in itself; it’s a lever to drive operational discipline, client trust, and growth. The takeaway? Cybersecurity becomes a business differentiator when leaders speak in the language that boards understand.
The Art of Communication: Speaking Cyber in Business
Let’s be honest, technical jargon rarely resonates with non-technical executives. That’s why clear communication is critical.
Roberto Galdamez avoids referencing technical terms like common vulnerabilities and exposures (CVEs) or endpoint detection and response (EDR) alerts when speaking with the C-suite. Instead, he talks about financial penalties, downtime costs, and reputational impact. Rubiano takes a similar approach, relying on business impact analysis. “If you get too technical, you lose them. Talk in terms they understand,” he says.
Chris Logan adds another layer: contextual storytelling. By sharing real-world incidents, like breaches in similar companies, he makes risks tangible and relatable. Leaders can more clearly visualize the impact of lost clients, interrupted operations, damaged reputation.
Here’s the subtle emotional cue: trust is built not through fear, but clarity. You don’t need to terrify your board with the infinite ways things can go wrong. You need them to see the stakes and act decisively.
AI: The Double-Edged Sword in Cyber Defense
AI is a game-changer for both attackers and defenders. Leaders across our discussions highlighted its dual role.
Roberto Rubiano is particularly cautious about “by-coding” practices, emphasizing data-level protection as the most critical priority. “Identity and threat detection matter, yes, but if the data itself is exposed, no layer of perimeter defense is enough.”
Meanwhile, Roberto Galdamez explains that AI helps defenders too. “AI-driven analytics for anomaly detection and insider risk are embedded in a defense-in-depth model,” he says. Identity is now the new perimeter, and AI can help monitor it efficiently.
Sammy Basu offers practical guidance, “Enforce policies at the browser or endpoint level, train employees on AI usage, and ensure corporate accounts are used for company-sensitive data. Without these, even the best AI tools can be a vulnerability.”
Here’s the thing, you can build higher walls, but the real defense is protecting what’s inside the vault. Data-level awareness, identity safeguards, and human training together form the best line for defense.
Investing in Resilience: Priorities for the Year Ahead
So where are leaders actually investing? The consensus is clear: visibility, identity management and secure development practices.
Rubiano is laser-focused on observability at the product level. Tools for static and dynamic analysis, secure SDLC practices, and vendor collaboration are critical. “If you can measure it, you can manage it,” he says.
Basu, Remblence, and Logan emphasize continuous monitoring and proactive defenses, whether that’s endpoint security, AI oversight, or supply chain risk management. Vendor accountability is also a priority. “Outsourcing doesn’t mean outsourcing responsibility,” Galdamez notes, recalling the SolarWinds incident as a cautionary tale.
In short, resilience isn’t about buying the latest tool. It’s about integrated strategy, multi-layered defenses, and trusted partnerships.
Leadership Under Fire: Learning from Real-World Experience
Theory is one thing; practice is another. Rubiano shares a striking anecdote from a past logistics project where management wanted cheaper, less secure ID cards, but through proactive controls and validations, his team mitigated risk without halting operations.
Basu tells similar stories, proactive monitoring and full-service support often prevent incidents before they happen. These examples highlight a subtle truth: cybersecurity leadership often means making calculated trade-offs under real constraints. Budget, operations, and risk tolerance all play a role.
Chris Logan notes “Leadership under fire requires balancing innovation with protection. It’s a delicate dance, but the best leaders know that perfect security is a myth, strategic preparation and continuous improvement are the real defenses.”
The Evolving Imperative
Today’s cybersecurity leaders must blend strategy, communication, technology, and human judgment. As AI-driven threats and vendor dependencies grow, leaders like Logan, Remblence, Basu, Galdamez, and Rubiano demonstrate that the role of a tech executive has never been more dynamic or more critical.
Thank you again to all our contributors for sharing insights that are as practical as they are inspiring.
Next month, we’ll explore “Building Resilient Tech Teams in Hybrid Work.” Because in today’s world, resilience isn’t just about systems and data, it’s about the people who power them. Stay tuned.
