CISOs are the ones with the final say. They're balancing boardroom pressure, regulatory headaches, and a security team that's stretched thin. To stay ahead of threats, many are turning to proactive threat intelligence strategies that help them make smarter, faster decisions. Right beside them are the practitioners — the engineers and analysts who run the tools every day and know when something will actually work in the real world.
This page is designed as a field guide. Not theory, not vendor slides — but a practical way to track who the key security leaders are, what they care about, and how to earn their attention.
You'll find:
- A curated list of CISOs and practitioners (with verified profiles) across industries.
- Their focus areas: from Zero Trust and identity to XDR, CNAPP, and cloud security.
- What kind of proof they respond to — implementation stories, ROI evidence, peer case studies.
If you're in cybersecurity sales, alliances, or even a founder trying to land enterprise deals, this isn't just background reading. It's meant to help you walk into a meeting with context, credibility, and something useful to say.
Why CISOs Matter
- Decision-Makers at the Top → CISOs have the final say on which security tools and platforms make it into the stack. No CISO buy-in, no deal.
- Bridge Between Board & Security Teams → They translate business risk and budgets into real-world security requirements.
- Focus on ROI & Risk Reduction → Flashy features don't cut it. They want proof a solution reduces measurable risk and pays for itself.
- Influencers of Security Culture → If a CISO backs a tool, the rest of the security team takes it seriously.
- Strategic Shapers → Beyond buying tech, they set the direction of an organization's entire security posture.
Why Follow CISOs & Practitioners
If you're selling or partnering in cybersecurity, tracking CISOs and practitioners isn't optional — it's table stakes. Here's why they're worth your attention:
- They make the shortlist: No tool makes it to procurement without the CISO or Head of Security nodding yes.
- They define the real requirements: Things like “works with Splunk,” “SOC 2-ready,” “API-first” often come straight from their teams.
- They validate ROI: If your pitch doesn't connect to cost savings or measurable risk reduction, you're done.
- They influence peers: Many are on LinkedIn, speaking at RSA, or swapping notes at invite-only dinners. What they endorse spreads fast.
The Influence Map (2025 Themes)
When you hang around CISOs long enough, you notice patterns. Not trends-for-trends-sake, but the real issues they keep circling back to over coffee, in panels, or behind closed doors. Here's what's dominating the playbook this year:
- SOC Modernization & XDR
The old “20 tools, 200 dashboards” model is collapsing. CISOs are desperate to cut noise, unify detection, and give analysts a fighting chance. If you can prove fewer false positives and faster response, you're in the game. - Zero Trust & IAM
This isn't hype anymore. It's the backbone of security strategies. Every board is asking, “Have we done Zero Trust yet?” and CISOs need real enforcement across apps, devices, and remote users. - Cloud Security at Scale
Multi-cloud chaos is real. Teams are stitching together CNAPP, CSPM, and automation just to keep up. If you help them tame AWS/Azure/GCP sprawl without a 12-month rollout, you'll get attention. - Compliance as a Budget Driver
Like it or not, acronyms write checks: NIS2 in Europe, DORA for financials, PCI DSS v4, FedRAMP in the US. If your solution makes audits easier or regulators calmer, you're speaking their language. - AI in the SOC
CISOs are cautiously poking at AI copilots — not for magic, but to triage alerts, guide investigations, and handle grunt work. The promise: free analysts from drowning in alerts so they can chase real threats. - OT & Critical Infrastructure
If you're in energy, transport, or manufacturing, uptime is king. CISOs here care less about “next-gen dashboards” and more about “don't let malware take my turbines offline.” Safety and continuity come before anything else.
The 2025 CISO & Practitioner Directory
In this section, you'll find a curated directory of top CISOs and security practitioners for 2025. It's organized by categories so you can quickly spot the leaders most relevant to your industry and focus area.
Global Enterprise CISOs & Security Leaders
| Leader | Company | Role | Focus / Niche | Country |
| Stephen Schmidt | Amazon Web Services | VP & CSO | Cloud security, enterprise guardrails | USA |
| Bret Arsenault | Microsoft | CVP & CISO | Platform & identity at massive scale | USA |
| Guy Rosen | Meta | CISO | Abuse prevention, large-scale appsec | USA |
| Phil Venables | Google Cloud | Security Advisor (ex-CISO) | Board-level risk, cloud controls | USA |
| Bala Sathiamurthy | Atlassian | CISO | SaaS & developer platform security | Australia |
| David Bradbury | Okta | Chief Security Officer | Identity & Zero Trust | USA |
| Jaya Baloo | Rapid7 | Chief Security Officer | Detection & response, threat intel | USA (global) |
| Michael Fanning | Splunk | CISO | SOC analytics, resilience | USA |
| Henry Shiembob | JPMorgan Chase | Global CISO | Software supply chain, resilience | USA |
| Tim Brown | SolarWinds | CISO | SDLC hardening, supply chain | USA |
| Aanchal Gupta | Adobe | Chief Security Officer | Product & enterprise security | USA |
| George Stathakopoulos | Apple | VP, Corporate InfoSec | Corporate & product lifecycle | USA |
| Rob Black | Fractional CISO | CISO | vCISO services, SOC modernization, small-enterprise programs | USA |
| AJ Yawn | Aquia | CEO & Security Leader | SOC 2 automation, continuous monitoring, compliance-driven SOC ops | USA |
Zero Trust & Identity Leaders
| Leader | Company | Role | Focus / Niche | Country |
| Bala Sathiamurthy | Atlassian | CISO | DevSecOps, Identity-first security in cloud-native environments. | Australia |
| David Bradbury | Okta | Chief Security Officer | Identity & Zero Trust, breach communication and resilience. | USA |
| Phil Venables | Google Cloud | Security Advisor (ex-CISO) | Board-level risk, cloud security architecture, Zero Trust maturity. | USA |
| Guy Rosen | Meta | CISO | Large-scale identity, abuse prevention, and application security. | USA |
| Tim Brown | SolarWinds | CISO | Supply chain security, post-breach resilience, and secure software development lifecycle (SDLC). | USA |
| Jaya Baloo | Rapid7 | Chief Security Officer | Threat intelligence, detection, and response, with a focus on human and non-human identity. | USA (Global) |
| George Stathakopoulos | Apple | VP, Corporate InfoSec | Corporate and product lifecycle security at massive scale. | USA |
| Michael Fanning | Splunk | CISO | SOC analytics, resilience, and data-driven security. | USA |
| Patrick “Pat” Opet | JPMorgan Chase | Global CISO | Software supply chain, resilience, and vendor risk. | USA |
| Andrew Wilder | Vetcor | CSO | Zero Trust implementation in hybrid and legacy environments. | USA |
| Heather Adkins | Security Engineering | Zero Trust and large-scale secure systems. | USA | |
| Keren Elazari | TED Speaker, Security Analyst | Independent | Hacker culture, ethical hacking, and the role of identity in security. | Israel |
| Rinki Sethi | ForgeRock | Advisor / Ex-CISO | IAM / Governance | USA |
| Pete Nicoletti | Check Point Software | Global CISO | Zero Trust Architecture | Israel |
| Jay Chaudhry | Zscaler | Founder & CEO (ex-CISO) | Cloud-based Zero Trust | USA |
| Mickey Boodaei | Transmit Security | CEO (ex-CISO) | Biometric Identity / FIDO | USA/Israel |
| Dor Liniado | CyberArk | Chief Security Officer | IAM / Privileged Access | USA/Israel |
| Nick Espinosa | Security Fanatics | CISO | Zero Trust, IAM frameworks, SMB cybersecurity | USA |
| Lenny Zeltser | Axonius | CISO | Identity asset management, Zero Trust enforcement | USA |
| Paul Valente | Viso Trust | CEO & Co-founder at VISO TRUST | fmr CISO | Vendor security, third-party risk, Zero Trust approaches | USA |
Cloud & SaaS Security CISOs
This list features prominent CISOs from cloud-native, SaaS-first organizations. These leaders are experts in securing multi-tenant environments and leveraging native cloud security services to protect business-critical applications and data at scale.
| Leader | Company | Role | Focus / Niche | Country |
| Stephen Schmidt | Amazon Web Services | VP & CSO | Cloud security, enterprise guardrails. | USA |
| Bret Arsenault | Microsoft | CVP & CISO | Platform security at massive cloud scale. | USA |
| Aanchal Gupta | Adobe | Chief Security Officer | Product & enterprise cloud security. | USA |
| Shamla Naidoo | Netskope | CISO | Cloud security, SASE architecture. | USA |
| Lakshmi Hanspal | Box | CISO | SaaS security, cloud content management. | USA |
| Michael Fanning | Splunk | CISO | SOC analytics, cloud resilience. | USA |
| Patrick “Pat” Opet | JPMorgan Chase | Global CISO | Software supply chain, cloud resilience. | USA |
| Eric Boateng | MassMutual | CISO | Digital transformation, multi-cloud. | USA |
| Ben de Bont | ServiceNow | CISO | SaaS platform security, compliance. | USA |
| Marnie Wilking | Booking.com | CISO | Consumer SaaS security, global scale. | Netherlands |
| Rich Nagle | Ohio State University | CISO | Cloud security in academia, research. | USA |
| Assaf Rappaport | Wiz | Co-founder & CEO (ex-CISO) | Cloud vulnerability and posture | USA/Israel |
| David Bradbury | Okta | Chief Security Officer | Workforce cloud identity | USA |
| Mickey Boodaei | Transmit Security | CEO (ex-CISO) | Passwordless/Biometric SaaS identity | USA/Israel |
| Pete Nicoletti | Check Point Software | Global CISO | Secure cloud migration | Israel |
| Emily Wearmouth | DocuSign | CISO | SaaS platform security | USA |
| Ian Coldwater | Docker | Senior Principal Security Architect | Cloud-native container security | USA |
| Frank Balonis | Kiteworks | CISO | Secure SaaS content communication | USA |
AI & SOC Modernization CISOs
This list features security leaders who are at the forefront of transforming the Security Operations Center (SOC). They are actively leveraging artificial intelligence, machine learning, and automation to move from a reactive, alert-driven model to a proactive, threat-informed defense. Their work focuses on improving efficiency, reducing alert fatigue, and staying ahead of sophisticated, AI-driven attacks.
| Leader | Company | Role | Focus / Niche | Country |
| Steve Zalewski | Levi Strauss & Co. (ex-CISO) | CISO Advisor | SOC transformation, AI strategy, leadership. | USA |
| Bret Arsenault | Microsoft | CVP & CISO | AI-integrated security workflows | USA |
| Josh Lemos | GitLab | CISO | AI-assisted threat triage | USA |
| Justin Dellaportas | Syniverse | CISO | AI alert filtering | USA |
| Patrick O'Keefe | Alimentation Couche-Tard | Head, Global Cyber Risk | Autonomous alert response | Canada |
| Carrie Mills | Southwest Airlines | CISO | AI-governed SOC ops | USA |
| Jason Lish | Cisco | Global CISO | AI-enhanced XDR & orchestration | USA |
| Edward Wu | Dropzone AI | Founder / CISO | AI SOC analyst agents | USA |
| Michael Fanning | Splunk | CISO | SOC analytics, AI/ML for security. | USA |
| Jaya Baloo | Rapid7 | Chief Security Officer | Detection & response, threat intelligence. | USA (Global) |
| Phil Venables | Google Cloud | Security Advisor (ex-CISO) | Board-level risk, AI governance. | USA |
| Rich Nagle | Ohio State University | CISO | SOC modernization, security leadership. | USA |
| Lakshmi Hanspal | Box | CISO | SaaS security, proactive defense. | USA |
| Andrew Fenton | Bausch Health | CIO | AI in security, SOC automation. | USA |
| Sebastian Lange | SAP | Global CISO | Security operations, AI-driven defense. | Germany |
| Keren Elazari | TED Speaker, Security Analyst | Independent | Hacker culture, AI's role in security. | Israel |
| Harold Rivas | Trellix | Global CISO | XDR, AI-powered security. | USA |
| Jack Naglieri | Panther | Founder & CTO | Cloud-native SIEM, AI-driven SOC automation | USA |
Compliance & Regulatory-Heavy CISOs
These CISOs are not only technical experts but also masters of governance, risk, and compliance (GRC) in some of the most stringently regulated sectors globally. Their expertise lies in navigating complex legal frameworks, ensuring data privacy, and building a security program that stands up to intense audits and public scrutiny.
| Leader | Company | Role | Focus / Niche | Country |
| Hemangini Thakkar | HSBC | CISO | Multi-jurisdiction banking, privacy | UK |
| Cezary Piekarski | Standard Chartered | Group CISO | Cross-border banking, compliance | Asia/UK |
| Tim Held | U.S. Bank | EVP & CISO | FFIEC, risk quant, resilience | USA |
| Susan Koski | PNC Financial Services | EVP & CISO | Financial services, third-party risk | USA |
| Christopher Porter | Fannie Mae | SVP & CSO (CISO) | Financial services, FAIR risk | USA |
| Deneen DeFiore | United Airlines | VP & CISO | Aviation, critical infrastructure | USA |
| Nasrin Rezai | Verizon | SVP & CISO | Telecom, critical infrastructure | USA |
| Christophe Gabioud | AXA | Group Chief Security Officer | Insurance, solvency, privacy | France |
| Andrew Coyne | Mayo Clinic | CISO | Healthcare, HIPAA/HITRUST | USA |
| Tim McKnight | UnitedHealth Group | EVP & CISO | Healthcare, breach recovery | USA |
| Vishal Salvi | Quick Heal / Seqrite | CEO (ex-Infosys CISO) | Enterprise compliance, GRC | India |
| Phil Venables | Google Cloud | Strategic Security Advisor (ex-CISO) | Regulated cloud, risk | USA |
| Thomas H | Santander | CISO | Global banking, risk | Spain/UK |
| Patrick “Pat” Opet | JPMorgan Chase | Global CISO | Software supply chain, third-party risk. | USA |
| Eric Boateng | MassMutual | CISO | Financial services, digital transformation. | USA |
| Sandro Bucchianeri | National Australia Bank | Group Chief Security Officer | Banking security, global risk management. | Australia |
| Joe Martinez | Aon | Global CISO | Insurance, cyber risk, data privacy. | UK |
| Rich Baich | AT&T | VP & CISO | Telecommunications, critical infrastructure. | USA |
| Rich Nagle | Ohio State University | CISO | Research security, academic compliance. | USA |
| Roland Cloutier | CISO Advisor (ex-TikTok) | CISO Advisor | Global privacy, national security. | USA |
| Sameer Ratolikar | HDFC Bank | EVP & Head, Information Security | Banking, risk management. | India |
| Eric Galis | Cengage | Business Leader | EdTech, student data privacy. | USA |
| Sagar Chavan | Axis Mutual Fund | SVP & CISO | Financial services, compliance. | India |
| Manoj Sarangi | IndusInd Bank | SVP & CISO | Banking, ISO 27001, IT strategy. | India |
| Matt Hillary | Drata | CISO | SOC 2, HIPAA, ISO 27001 compliance automation | USA |
| Christina Cacioppo | Vanta | Founder & CEO | Automated compliance, SMB GRC frameworks | USA |
OT/ICS & Critical Infrastructure CISOs
These leaders are serious about real-world safety and uptime. They secure power systems, telecom networks, manufacturing lines, or urban infrastructure—where failure isn't just lost dollars, but dangerous.
| Leader | Company | Role | Focus / Niche | Country |
| Roland Cloutier | ADP (ex-TikTok) | Former Global CSO | Critical infrastructure resilience in consumer tech | USA |
| Dawn Cappelli | Dragos | CEO & Co-Founder (ex-ICS CISO) | Industrial threat detection | USA |
| James Shira | PwC | CIO & CISO | Energy & utility cyber risk | USA |
| Phil Venables | Google Cloud | Security Advisor (ex-CISO) | OT/ICS security for cloud workloads | USA |
| Devender Kumar | Secura | Principal Security Expert | Dutch infrastructure OT risk | Netherlands |
| Malcolm Harkins | Epiphany Systems | CSO | OT/ICS operational resilience | USA |
| Tim Held | U.S. Bank | EVP & CISO | OT security for financial services | USA |
| Arve Kjoelen | McAfee Enterprise | CEO (ex-CISO, Cisco) | Infrastructure-level threat management | USA |
| Hannah Brown | NIST | Incident Responder / Advisor | Energy & infrastructure incident handling | USA |
| Nicholas Santillo Jr. | American Water | Director, Chief Security Architect | Water utility ICS/OT | USA |
| Christopher Henderson | Huntress | Senior Security Researche | ICS/OT threat hunting, SOC response | USA |
| Lesley Carhart | Dragos | Director of Incident Response | ICS/OT incident response, critical infrastructure protection | USA |
APAC & Middle East CISOs
These are the ones navigating diverse regulations, massive scale, and regional nuance—if your product offloads audit pain or streamlines multi-jurisdictional enforcement, they'll listen.
| Leader | Company | Role | Focus / Niche | Country |
| Durga Prasad Dube | Reliance Industries | EVP & CISO | Energy conglomerate security | India |
| Shiv Kumar Pandey | Adani Group | Group CISO | Infrastructure, transport, energy security | India |
| Sameer Ratolikar | HDFC Bank | CISO | Banking, digital transformation security | India |
| Vishal Salvi | Quick Heal / Seqrite | CEO (ex-Infosys CISO) | Enterprise security leadership | India |
| Pete Nicoletti | Check Point Software | Global CISO | Israel cyber defense leadership | Israel |
| Trishneet Arora | TAC Security | CEO | ASM, VAPT for enterprise | India |
| Anand Prakash | PingSafe (acquired) | Founder & CEO | Cloud/SaaS security post-acquisition | India |
| Saket Modi | Safe Security | Co-Founder & CEO | Cyber risk quantification, APAC enterprise security | India |
Influencers & Advisors (ex-CISOs)
These are the trusted voices—no longer in the CISO chair, but still in the room. Their frameworks, podcasts, and advisory roles influence buying decisions before a demo ever happens.
| Leader | Company | Role | Blend / Niche |
| Wendy Nather | 1Password (ex-Duo/Cisco) | Senior Research Initiatives Director | Advisory CISO, research voice |
| Bob Kolasky | CISA (former) | Former U.S. Infrastructure CISO | National incident prep |
| Anton Chuvakin | Google Cloud | Security Advisor (ex-CISO) | Regulated cloud security |
| Deepak Gupta | GrackerAI | CEO/CISO | AI-driven PLG & cybersecurity SaaS |
Useful Resource- How to get CISO to REspond to Cold Emails
How Vendors Should Approach CISOs
- Lead with the pain, not the pitch-
“If you start with a 20-slide deck about your ‘AI-driven synergy platform,' I'm already checking email. Show me how you'll stop the breach that keeps me awake.” - Respect their time-
CISOs aren't browsing demos for fun. They're slammed. If you get 15 minutes, don't waste 10 on your company history. - Bring proof, not promises-
Everyone says “we reduce risk.” Few can show a real case study with metrics. Numbers matter more than adjectives. - Talk outcomes, not features-
“I don't care if it uses blockchain, fairy dust, or hamsters in a wheel. If it lowers my audit findings or saves my analysts 20 hours a week, I'll listen.” - Be blunt about limitations-
Nothing earns respect faster than a vendor who admits, “We don't cover X. You'll still need Y.” That honesty sticks. - Tailor to their industry-
A hospital CISO hears “patient safety.” A bank CISO hears “regulator off my back.” Same product, different story. - Support the team, not just the boss-
Win over their lieutenants—the SOC manager, the architect. If they vouch for you, the CISO signs faster. - Follow up like a human-
Not with five automated “Just checking in!!!” emails. One thoughtful note with a relevant insight goes way further.
What CISOs Care About (In Their Own Words)
- Risk above all else-
“I don't care if it's shiny AI—show me how it cuts breach exposure today.” - Compliance headaches-
“Half my week is mapping controls to acronyms—GDPR, HIPAA, PCI. Miss one, and it's a lawsuit.” - How painful the rollout is-
“If my team needs six months of training, forget it. I need plug-and-play, not another science project.” - Proof they can show upstairs-
“The board doesn't want tech talk. They want a chart that shows red risk boxes turning green.” - Future-proofing-
“I'm not buying a tool for 500 users today if it'll break at 5,000 tomorrow.” - Reputation and trust-
“If a vendor's been breached or fudged a report once… word spreads fast. I won't risk my badge.” - Reducing the noise-
“My SOC is already drowning in alerts. If you add more without filtering, you're not helping me.” - Staff shortages-
“I've got two open reqs for analysts and no candidates. If your product saves headcount, now you're talking.”
Wrapping It Up
At the end of the day, CISOs and their teams don't just buy tools — they bet their careers on them. If you want to earn a seat at their table, you need more than buzzwords. You need proof, context, and respect for how they work.
That's why this guide exists: to help you see the world through their eyes, know who actually shapes decisions, and understand the themes driving 2025 budgets.
If you're serious about selling into enterprise security:
- Start with the people (the CISOs and practitioners who matter).
- Speak their language (risk, ROI, compliance, outcomes).
- Back it up with evidence (case studies, metrics, peer validation).
This page is just one piece of the bigger map. Check out our guides on Cybersecurity CEOs & Platform Leaders, Cybersecurity Influencers & Experts, and Top Cybersecurity VC Resources to complete the picture.