Cybersecurity management right this moment appears very totally different from what it did a decade in the past. As organizations speed up digital transformation, the position of the Chief Data Safety Officer (CISO) has expanded far past defending methods. Right now’s safety leaders are anticipated to steadiness cyber risk management, enterprise priorities, and regulatory calls for—usually throughout a number of industries and international markets.
Hannah Suarez represents this evolving technology of cybersecurity leaders. Because the CISO at Loyalty Standing and the proprietor of Superuser OÜ and Citadel Byte Data Know-how, she brings a uncommon mix of enterprise safety expertise and startup agility. Having labored throughout a number of industries—together with telecommunications, aviation, and software program startups—and throughout a number of worldwide markets, Hannah understands that efficient cyber risk management isn’t just about compliance frameworks. It begins with understanding the enterprise, the expertise behind it, and the risks that include fast innovation.
As a part of The Cyber Express’ Women in Cybersecurity series, we’re dedicating the month of March to conversations with ladies shaping the way forward for cybersecurity. All through the month, we can be that includes interviews with safety leaders from internationally who’re driving change in areas reminiscent of cyber threat administration, cloud safety, governance, and management.
On this dialog, Hannah shares her perspective on navigating cloud safety tasks, avoiding compliance fatigue throughout a number of cybersecurity frameworks, and why provide chain vulnerabilities stay one of the vital pressing challenges for organizations right this moment.
Under is the total dialog with Hannah Suarez.
Cyber Danger Administration Insights from CISO Hannah Suarez
TCE: You have got led cybersecurity and compliance applications throughout a number of industries, together with telecommunications, aviation, and software program startups. How does the method to cyber threat administration differ between fast-growing startups and extra established enterprises?
Hannah: One of many key, apparent, differentiators is the method to threat. Startups prepared to soak up or delay threat remedy in favor of threat acceptance to develop is one instance. Additionally, even when that is the method for a startup that has to indicate itself as safe to enterprise, you possibly can nonetheless wrap it in an ISO framework and have it within the ISMS so there’s an precise method.
TCE: With organizations more and more adopting cloud-first methods, what are the commonest cloud safety gaps you observe right this moment, and the way can CISOs handle them proactively?
Hannah: First is to distinguish precisely what mannequin is that this in the case of possession and operations. For instance, you onboard a brand new utility which is on cloud (reminiscent of Salesforce) and from there decide if there’s compliance duty by the operator or whether it is completely on the corporate. Or, we could possibly be referencing to working a software program that’s managed by an operator on cloud (AWS, GCP, Azure). Or we could possibly be speaking about non-public cloud hosted as a substitute.
From there on, the layers change into complicated as you attempt to decide duty and possession. Which parts are going to be shared duty to function, which parts usually are not, and so forth.
Due to this fact, I discover that a whole lot of time will get invested in making an attempt to know the answer first and why the enterprise is heading into that route by speaking to the related stakeholders. I may actually go on in additional element about cloud safety in third celebration administration, however the general foundation is who owns and who’s accountable.
TCE: You have got labored extensively with frameworks reminiscent of ISO, NIST, CIS, SOC, and SOX. How ought to organizations prioritize these frameworks with out creating compliance fatigue?
Hannah: The issue is being framework-only. For instance, why would one cite a NIST guideline from their cybersecurity framework if this isn’t related within the ISMS? So the problem is to attempt to come again to the enterprise first after which from there decide what ought to be prioritized. Coming again to the enterprise includes making use of threat administration, because you even have to know the duty of implementing and proudly owning the danger.
It doesn’t imply that you’re restricted to only one framework solely – i.e solely comply with ISO, or solely comply with NIST, and so forth. I did an train of going by a number of tips and frameworks to see what the data is on provide chain administration lifecycle on a holistic view, then went into the detailed for particular parts of it (onboarding, offloading, and so forth) that’s extra appropriate to the present enterprise course of.
TCE: Out of your expertise presenting to boards and govt groups, how can cybersecurity leaders higher translate technical dangers into enterprise impression?
Hannah: You differentiate who’s accountable, is it the enterprise proprietor, the system proprietor, the danger proprietor, the contract proprietor. And regulate.
TCE: Having labored throughout various international markets, how do regional regulatory environments affect cybersecurity technique and threat governance?
Hannah: It’s depending on recognising possession of what relevant legal guidelines and laws apply inside the whole data movement or course of movement. Due to this fact I begin on the contractual part and work my method to how it’s impacting the ISMS after which making use of the ISMS.
TCE: As cyber threats proceed to evolve, which rising threat areas—reminiscent of AI-driven assaults or provide chain vulnerabilities—do you imagine organizations ought to put together for many urgently?
Hannah: One thing that may be a thorn for organizations that has undergone large digital transformation is provide chain vulnerabilities. Addressing that is going to be on the core of addressing the extra specialised matters, like AI-driven assaults.
For instance, you onboard new suppliers for a course of that’s required to make use of and retailer extremely regulated business knowledge, or extremely delicate knowledge (reminiscent of, biometrics like voice evaluation). This new system then pronounces their intention to make use of knowledge for his or her AI fashions. What subsequent?
TCE: You have got a powerful background in constructing safety maturity for organizations. What are the primary three sensible steps firms ought to take to strengthen their safety posture in 2026?
Hannah: Have govt administration involvement throughout the enterprise. Perceive the enterprise and why it’s stepping into a sure route like my reply beforehand on frameworks. Perceive the parts (distributors, suppliers, operators) that make up the enterprise (like my reply beforehand on cloud).
TCE: As somebody with an entrepreneurial mindset and expertise throughout startups, how can cybersecurity allow enterprise development reasonably than being seen solely as a compliance requirement?
Hannah: For startups, one of many points that they face is constructing belief with enterprises. And compliance applications (be it ISO 27001, knowledge safety administration applications, and so forth) are vital to determine this. Not only for the target third celebration view from an auditor, but in addition for the day after day working of the enterprise.
A whole lot of the enablement, with out issues devolving into some compliance checkbox, is for the startup to be taught extra about threat administration – not simply thje TARA framework (Switch, Settle for, Cut back, Keep away from) however to additionally get to ways in which they don’t search permission to do threat evaluation, on a regular basis. For this, it’s threat exploitation which is to have the ability to seize alternatives first, then engaged on the TARA methodology later. It’s extra just like the saying “make an apology later” wherein the later half is to conduct the danger evaluation later. Or the opposite approach of claiming is to simply accept first, then analyse later.
TCE: On the event of Worldwide Ladies’s Day, what key actions can organizations take to create extra inclusive and supportive environments for girls in cybersecurity?
Hannah: Group is essential. As somebody who has moved in a number of nations (with the UAE as my seventh), one of many issues that you simply do is to seek out methods to attempt to floor your self in a brand new group. This was very a lot evident within the UAE by initiatives for girls in cyber security, and likewise being in different teams for girls in expertise that I’m part of for the broader GCC space. Organizations can select to participate in additional of those initiatives, or not less than encourage and empower their staff to take part.
TCE: What recommendation would you provide to younger ladies aspiring to construct management careers in cybersecurity, significantly in areas like threat administration and compliance?
Hannah: To start with, I used to be working as a system administrator for a software program firm. We had prospects that wanted to configure particular parts to make it compliant (reminiscent of, utilizing FIPS cryptographic modules). Ultimately, I ended up studying extra about these frameworks.
After I pivoted extra in the direction of auditing and implementing ISMS for enterprises and organizations, the main focus was much less on the technical and being tremendous specialised in it, and extra on the enterprise facet and discovering methods to get the enterprise to achieve and preserve compliance.
Having background within the two, I discover, has been a precious perspective to work on this space.
Conclusion
Hannah Suarez’s perspective is a reminder that cyber threat administration isn’t just about frameworks or compliance checklists. At its core, it’s about understanding how a enterprise operates, who owns the danger, and the way safety choices have an effect on the group as a complete.
From navigating cloud safety tasks to addressing rising provide chain vulnerabilities, Hannah emphasizes that safety leaders should first perceive the route of the enterprise earlier than constructing controls round it. Solely then can cybersecurity transfer past enforcement and change into a part of how organizations function and develop.
Her journey additionally highlights the significance of group and mentorship, significantly for girls in cybersecurity who’re constructing management roles throughout the trade.
As organizations proceed to evolve digitally, the challenge for CISOs can be balancing innovation with accountable cyber threat administration. As Hannah suggests all through this dialog, the place to begin stays easy: perceive the enterprise, perceive the danger, and construct safety applications that assist each.
