Align Information Security

Across conversations with cybersecurity leaders featured in Feats of Strength, one message is unmistakably clear: the future will not reward those who stand still. It will belong to leaders who adapt, learn, unlearn, and lead with clarity in a world defined by rapid technological change.Artificial intelligence may be the most visible force shaping today’s strategy, but true future-proof leaders see beyond tools. They understand that technology alone does not secure a business or guide a team. Instead, it is the leader’s mindset, communication style, culture building, and vision that determine whether an organization thrives in the years ahead.In our latest set of interviews, 100 percent of security leaders mentioned AI, and 75 percent identified it as one of their top strategic priorities. But when you listen closely, what emerges is not an AI story. It is a leadership story, one about adaptability, clarity, and the ability to create structure amid uncertainty.The future-proof leader is not a technologist. They are a strategist. An enabler. A communicator. And above all, a guide.

Kyle Thomas describes his path into cybersecurity as “nonlinear,” yet it is precisely that diversity of experience that exemplifies his strength as a leader. His career began in the late 1990s as technology was taking shape, and he grew alongside it, earning certifications across everything from database design, to JavaScript, and firewalls. Over time, his adept curiosity led him into security leadership, where his ability to bridge technology and strategy became a defining skill.In 2022, Kyle’s career journey led him to WEX, a global commerce platform, where he took on the role of Director, then Senior Director of Global Information Security. When joining the organization, Kyle was drawn not only to the technology stack but to what he describes as a “true culture of security.” “When I joined, we had roughly fifty people in security,” he recalls. “That’s a large number for an organization our size, but it reflected the complexity of what we do.”WEX operates across three lines of business including Mobility, Corporate Payments, and Benefits, and provides services to clients in over 200 countries. The company processed more than $200 billion in payment volume last year, managing data across 20 currencies and tens-of-millions of user accounts. “It’s a global organization with a highly regulated environment,” Kyle explains. “We’re subject to PCI, SOX, SOC, HIPAA/HITRUST, GDPR, and numerous other global privacy frameworks. That level of maturity made me confident this was a place where security had real influence.”Culture of SecuritySince joining WEX, Kyle’s scope of responsibilities has grown significantly. Starting at two teams and 13 people, he now leads a team of 40 members across five countries, overseeing network security, data protection, identity protection, automation, and security applications. He is closely partnered with Application Security, Architecture, and GRC teams, serving on advisory boards, and working with senior technology leaders to align security with innovation.One of his primary focuses is helping the organization balance product velocity with security oversight. “Our goal is to enable rapid experimentation and innovation while maintaining compliance and protecting data,” he says. “That means staying closely connected to digital and product leadership and making security part of the business rhythm.”Each year, Kyle and his teams begin with what he calls “brag books”, internal reports that track metrics, project milestones, and wins. “We aggregate those into an annual brag book and present it across the organization,” he explains. “It’s not just about showing numbers like the 120 million threat blocks we average per day, or the 400,000 daily container runtime scans, it’s about showing what we can achieve when we work together.” That transparency helps build trust and alignment across departments, reinforcing security’s role as a business enabler.AI and the Future-Ready EnterpriseKyle describes artificial intelligence as both a driving force and a challenge for the modern security leader. “AI is everyone’s focus right now,” he says. “We’ve built AI-powered tools to simplify processes, but that means our focus must include securing those models, monitoring them for vulnerabilities, and ensuring we use AI responsibly.”For WEX, the integration of AI is not only operational but also strategic. The organization continues to explore how AI can streamline operations, identify threats faster, and even support defensive automation. “We use AI to fight fire with fire,” Kyle explains. “If threat actors are using AI, so should we.”He notes that AI security overlaps with several other domains. “It’s similar to application and identity security. Overprivileged AI agents can create risk just like any other non-human account. It’s about managing those permissions and maintaining control.”As part of his annual planning, Kyle focuses on short, actionable roadmaps rather than multi-year strategies. “Security evolves too fast for long-term static plans,” he says. “Three years ago, no one had AI in their strategy, and now it’s a major priority. Being future-ready means staying adaptable and focusing on measurable progress each year.”Building TrustTo translate complex security strategies into business language, Kyle believes communication must start with “the why.” He believes in a philosophy of purpose-driven communication. “Security can’t just say no, we have to show why something matters, what the risk is, and how we can partner to solve it,” he says.That philosophy has helped him earn the trust of executives and peers across the organization. His team conducts annual roadshows to share results, discuss upcoming initiatives, and gather feedback from product and technology leadership. “Those sessions are key,” he says. “They turn security into a shared mission instead of a separate function.”Kyle also emphasizes a service-oriented mindset. “In security, our customers are usually internal. If a security control creates friction, our job is to guide and support, not to punish,” he explains. “Trust is built in small moments. You earn it by showing up and helping.”Leadership with Transparency Kyle describes his leadership style as open and honest. Every new employee receives the same speech on their first day: clear expectations, candid feedback, and empowerment to take ownership. “If I have to do their job for them, I’m either overpaying or I’m not doing my job,” he says with a laugh. “My job is to create space for people to excel.”He encourages his team to innovate and challenge convention. “We say the box is where we put our ideas when we’re done,” he notes. Each team member is required to set two annual development goals, one technical and one professional. “It’s my responsibility to develop leaders,” he says. “That means giving them room to fail safely and learn from it.”When hiring, Kyle prioritizes cultural fit and capability over credentials. “We removed degree and certification requirements from our roles,” he explains. “Skills and mindset matter more. We can help someone earn a certification later if they have the drive and curiosity to learn.”He believes diverse experiences strengthen the team. “We operate globally, and certifications popular in the U.S. may not carry the same weight in India or the UK. I care about competence and problem-solving. The rest can be developed.”A Lifelong Learner Kyle practices what he teaches by setting his own development goals each year. He reads, listens to leadership podcasts, and attends industry conferences to stay current. “I’m a big believer in lifelong learning,” he says. “Every day, I try to learn something new.”He also values the network of peers he’s built through professional events. “We all need someone to call when we hit a new challenge,” he says. “Conferences and groups give you that lifeline. You can ask, ‘Have you seen this before?’ And learn from each other.”Looking ahead, Kyle hopes to see more collaboration across technology disciplines. “We talk a lot about breaking down silos, but we still tend to separate CISOs, CIOs, and CTOs into different circles,” he reflects. “We have so much to learn from each other. If we want to move the industry forward, we need more of those mixed conversations.”At WEX, Kyle is leading by example, proving that future-proof leadership means more than adapting to technology. It means empowering people, communicating purpose, and building a culture of trust that stands ready for whatever comes next.

Over the past year, people in the United States have seen a sharp increase in smishing attacks (phishing done via SMS). These are the texts about unpaid tolls and undeliverable USPS packages that seem to have hit every phone at this point. The links often lead to convincing fake websites, sometimes even using Google’s branding to look legitimate.

Lisa Lafleur didn’t plan a career in cybersecurity, she built one out of curiosity and conviction. “I was the first cybersecurity person at a bank I worked at during the beginning of my career,” she says. “When I hired on as a network manager, I saw a need for cybersecurity and talked to my boss about it. He said, ‘Do we even need cybersecurity people?’ That was really the attitude at the time.”Lisa convinced him otherwise, laying the groundwork for what would become a long and distinguished career in information security. “That was my first entry into security, but there were always elements of it in my work,” she explains. “I had been writing policies for ten years, and I worked in audit, doing some auditing of cybersecurity as well.”Her early years reflect the infancy of the cybersecurity industry. “When I was in audit, the main control was making sure we had power strips and we knew where the policy was,” she recalls with a laugh. “Auditors would read books to figure out what they needed to ask me. They once said we needed firewalls, but we weren’t even on the internet yet. I said, ‘We don’t need firewalls; we don’t have anything to firewall off.’ It was such an interesting time.”Finding Her Place at WalmartToday, Lisa is the Senior Director of External Party Risk Management at Walmart, a role she has held for more than four years. Her path to Walmart began long before the opportunity appeared. She spent years building a reputation in financial services, defense, and manufacturing, working in positions that exposed her to governance, audit, networking, policy writing, and eventually security leadership.During her time at Raytheon she worked for a leader who became a long-term mentor. “The person who hired me at Raytheon hired her at Walmart. It is important to maintain your network and keep relationships going even if you change roles.”  The position at Walmart offered Lisa the chance to build something new. Lisa saw the External Party Risk Management program as an opportunity to apply decades of strategy and governance experience toward a large-scale initiative. “This was my opportunity to build something meaningful and give back to the community if I could build it the right way.”Leading a Complex Global ProgramLisa’s role focuses on vendors that don’t supply the products on Walmart’s shelves but still handle sensitive data. “Any vendor with whom we exchange protected information has to go through my team,” she explains. “We look at it from two perspectives: onboarding and continuous management.”Her team ensures that every vendor meets Walmart’s strict security standards before work begins. “We use NIST and other industry frameworks to make sure vendors meet our requirements,” she says. “We make sure they’re protecting data in the same way we would protect it in-house, with all the same or equivalent controls.”The team has full authority to reject vendors that don’t meet those standards. “We absolutely have the power to say no,” she says. “And so far, every decision we’ve made has been backed one hundred percent.”Once a vendor is approved, Lisa’s team monitors them continuously. “We make sure they maintain that level using mostly OSINT data,” she says. “We look for vulnerabilities on their external servers and make sure nothing’s falling through the cracks.”Her group’s scope extends well beyond third-party oversight. “We’re not just third-party risk management; we’re external party risk management,” she explains. “That means we also look at fourth parties and beyond. Sometimes those fourth-party relationships pose even bigger risks to the supply chain than the third parties themselves.”AI, Data, and the Expanding Risk LandscapeAs with nearly every area of security, AI is both an opportunity and a challenge. “AI is probably the biggest change and the biggest challenge,” Lisa says. “All of a sudden, everybody can code and create tools. We’re going to need strong strategies and leaders to stand beside them to make sure these developments align with our goals and don’t become distractions.”Her team is also exploring how AI can improve visibility into Walmart’s vast vendor ecosystem. “For years, we’ve been collecting data on all of our vendors,” she explains. “Now we’re asking, how can we use that data to make better risk-informed decisions and increase the health of the ecosystem?”Lisa sees her work as part of something much larger. “The more data we analyze, the more we realize how interconnected every company is,” she says. “People joke about six degrees of separation, but in cybersecurity, it’s more like two. One vendor’s issue can quickly become everyone’s issue.”Looking ahead, Lisa’s priorities include expanding the program internationally and integrating AI responsibly. “We want to leverage AI to increase insights and efficiency, but it has to be tied to the overall strategy,” she says. “And internationally, we’re figuring out how to scale our processes and make sure they’re built into everything we do.”Translating Security into Business ImpactFor Lisa, communication is as critical as technology. “That’s why I got my MBA,” she says. “I wanted to be able to explain what we do to the business and talk to executives in their language.”She uses an agile framework to track progress and align with corporate strategy. “We capture everything in sprints, stories, and epics,” she explains. “I work with the program management office to make sure what I’m doing reads into their strategy. I meet with strategic leads all the time to explain my business cases and make sure our priorities are aligned.”That alignment with business value is essential in Walmart’s culture. “At the end of the day, our job is to increase shareholder wealth,” she says. “Walmart is very particular about everyday low cost or EDLC. We look at every penny because we really do care about providing the lowest costs for our customers. It all makes sense when you walk into a store and see how that strategy connects.”Leadership with Purpose and IntegrityLisa describes herself as a servant leader, a philosophy that defines her approach to management. “My job is to empower the people around me to reach their full potential,” she says. “I tell my team all the time: my job is to get obstacles out of your way.”She values transparency and open dialogue, even around difficult topics like AI. “We had an honest conversation about AI and its existential threat to some of the work we do,” she says. “One of my team members told me they were surprised I brought it up. But I think talking about it makes it less scary. Avoiding it doesn’t.”Her empathy and honesty create a culture of trust. “I like to be honest and always say I’m too lazy to be dishonest,” she laughs. “It’s just too hard. I’d rather be upfront.”Lisa also believes in giving back. “At a certain point in your career, it’s important to contribute to the community,” she says. “I’m active in ISC² and InfraGard and serve on chapter boards. I think it’s especially important as a woman in this field. Young women don’t always see opportunities for themselves, and sometimes they’re too hard on themselves. I want to change that.”She makes time for mentorship wherever she can. “I love it when young women reach out,” she says. “If I can fit it in, I’ll always prioritize those conversations. We need more women in this field, and if sharing my story helps even one person, it’s worth it.”Building a Diverse and Inclusive FutureDiversity and inclusion are more than talking points for Lisa, they’re daily priorities. “As a leader, I think it’s important to understand generational, cultural, and gender differences,” she says. “Those things can become barriers if we don’t take time to learn about them.”She makes a point of learning from her global team members. “I have people from Panama, Ghana, Mexico, India, and it is fascinating to learn from them,” she says. “I’m constantly asking questions about where they’re from and how they see things. When you understand different perspectives, it builds appreciation and teamwork.”Lisa believes that diversity strengthens security. “When you bring people with different backgrounds and experiences together, you get better ideas,” she says. “That’s how we build stronger teams and a stronger industry.”At Walmart, Lisa leads with humility and a deep sense of purpose. “Every day is different,” she says. “There’s no playbook, but that’s what makes it exciting. My goal is to help my team succeed, support the business, and hopefully leave this program and this industry better than I found it.”

Michael Brewer’s journey into cybersecurity began in the U.S. Army, where his career quickly evolved from running telephone lines to building complex network systems. He shares, “Networking was just starting to become something the Army was going to use for their forward deployed data packages. I attached myself to that team because I saw where the future was going and wanted to make sure, I kept up and had a good career.”That decision set him on a lifelong path of technical curiosity and leadership. He eventually led teams that deployed mobile data networks, gaining early experience in how to secure environments and keep operations running under pressure. “I took a liking to security concepts including different ways of securing an environment, physical and logical, keeping bad people out, and allowing people on site to do what they need to do,” he says.After leaving active duty, Michael started his own company before moving into defense contracting in San Diego, supporting the Navy and various Department of Defense entities. “There’s a big footprint here for DoD contractors,” he says. “From there I joined as a government employee running the NMCI network as the lead engineer, and later moved to the private sector to do product security for Teradata.”When the pandemic hit, he pivoted again, this time leading pre-sales engineering for a security vendor. During that period, he conducted a cybersecurity assessment for Neurocrine Biosciences. “The CIO liked what I was doing and what I delivered,” he recalls. “That was that, I moved over to the Chief Information Security Officer position.”Becoming a Business LeaderMichael quickly realized that being a CISO required both technical depth and business and leadership skills. “There are some skill sets that map well like critical thinking, storytelling, and the ability to condense very technical concepts to a non-technical audience,” he explains. “But there were other aspects I wasn’t aware of at the time, mainly around legal and compliance for Biotech.”He also discovered that the expectations for CISOs have evolved far beyond traditional IT. “We have to know finance, we have to know the business, we have to know marketing,” he says. “We have to be able to articulate cases and tell stories, not only our cybersecurity capabilities but our acumen as business leaders.”Building a Modern Cybersecurity ProgramToday, Michael oversees all aspects of Neurocrine’s cybersecurity program, including data protection, identity and access management, security architecture, engineering, governance, and incident response. “It’s the entire cybersecurity program,” he says. “We also just christened AI security, which I’m sure everybody’s dealing with now.”Security awareness is a major priority for him. Michael views it as a cultural issue rather than a compliance checkbox. “People across the business are very smart, but they don’t always know the jargon, the risks, or the impact if something goes wrong,” he explains. “My goal is to build a culture where people feel comfortable reporting issues. It’s not a punitive thing if something bad happens. We need employees to tell us when something seems off.”Looking to the year ahead, his top priorities are risk management, automation, AI security, and maturing third-party risk. “We’re a publicly traded company, so we have to deal with audits just like everyone else,” he says. “That can take up a lot of time for engineers and architects. We’re focused on automating controls and artifacts so we can standardize the process. It shouldn’t depend on who’s in the role, anyone should be able to step in and close out that audit artifact.”Michael is also working to gamify security training. “The punitive approach doesn’t work,” he says. “We’re moving toward a gamified, positive approach with department leaderboards and small competitions. It’s about getting people to pay attention and making awareness something they want to be part of.”AI, Risk, and the Changing LandscapeArtificial intelligence is one of the most significant challenges facing security leaders today. “AI has hit us all sideways,” Michael says. “There’s no Cyber AI bachelor’s degree coming out of school anywhere. There’s no formal training because these things, like Model Context Protocol (MCP), just came into realization last year.” “We’re learning about these technologies at the same time as the adversaries,” he says. “There’s really no getting ahead of it. You just have to stay current and agile.”Regulatory complexity adds another layer of pressure. “We have a lot of uncertainty with what’s coming out of the current administration,” he says. “There’s also the state-level piece, and then the global considerations. It’s constantly evolving.”That evolving threat landscape requires a balance between security and innovation. “We want to be secure and take a risk-based approach, but the business wants to move quickly,” he says. “If we don’t adopt new technologies, it can negatively impact the business, but if we move too fast, that can also create risk. Finding that middle ground is the challenge.”Leading with EmpowermentMichael’s leadership philosophy centers on trust and empowerment and he encourages innovation and continuous learning. “If someone goes off and learns something new, I want them to bring it back to the team,” he says. “We can figure out together how to adopt it or modify the idea moving forward.”Mentorship has become one of his most meaningful responsibilities. “Helping others grow in their careers is incredibly rewarding. I might only get to work with someone for a small window of their life, but I want to set them up for success.”When hiring, he looks for curiosity and a hunger to learn. “The biggest thing I look for is eagerness, a person who’s hungry to learn, self-taught, and collaborative. Everything else can be trained.”Staying Connected and Giving BackMichael stays connected to the cybersecurity community through local and national groups. “Here in San Diego, we have many groups, and a small brain trust of CISOs in biotech that meet once a month for lunch,” he says. “We just talk about what’s going on.” He also participates in national industry networks. “These types of groups offer open communication, message boards, Slack channels, all ways to share what’s landing and what isn’t.”At Neurocrine Biosciences, Michael leads with the same principles that have guided him from the Army to the C-suite including empowerment, communication, and purpose. “Being a CISO is about more than keeping bad actors out,” he says. “It’s about helping people do what they need to do safely and creating an environment where security enables innovation instead of limiting it.”

For Yash Murali, technology has always been a space where curiosity meets creativity. “I’ve always been fascinated by how things work,” he says. “Growing up, I’d take things apart just to see how they fit together.” That same mindset shaped his early career in engineering, where he built systems that merged design, function, and innovation.His career spanned across private-equity-backed consumer technology and health and wellness—industries that taught him distinct lessons. Private equity taught him how to move fast, consumer technology showed him the importance of design and user experience, and health and wellness taught him that trust is everything.Before joining Therabody, Yash held several senior technology roles where he led global teams and built scalable digital platforms. “I’ve always loved the challenge of connecting technology with purpose,” he explains. “For me, success is when technology disappears and when it becomes so intuitive that people don’t even realize how much innovation is behind it.”Leading at the Intersection of Health and TechnologyWhen Yash joined Therabody as Chief Technology Officer, he saw an opportunity to merge advanced technology with the science of human performance. “We’re a wellness technology company,” he says. “That means we sit at the intersection of health, science, and innovation. Our job is to make recovery and wellness accessible to everyone, whether you’re a professional athlete or someone who just wants to feel better.”At Therabody, Yash oversees the company’s global technology strategy from software and connected devices to data analytics, automation, and security. “My team is responsible for building and securing the digital ecosystem that powers our products,” he says. “That includes everything from mobile apps to AI-driven recommendations.”He approaches his work with the mindset of a product visionary. “Technology has to create value for the business and for the user,” he says. “I focus on how every product, and every data point can help someone move, sleep, or recover better.”That connection between product and purpose is what keeps him energized. “Our mission isn’t about selling devices, it’s about improving lives through smarter technology,” he says. “Everything we do ties back to that mission.”Innovation Through Data and AIArtificial intelligence plays a central role in Therabody’s innovation roadmap. “AI helps us understand how the body responds to different treatments,” Yash explains. “It allows us to personalize recommendations and make recovery more efficient.”The company uses AI to analyze sensor data, track behavioral trends, and optimize device performance. “The future of wellness is personalized,” Yash says. “AI helps us connect the dots, from usage patterns to health outcomes, so we can design experiences that adapt to each individual.”But he is equally focused on doing it responsibly. “Consumers trust us with their data,” he says. “That trust is sacred. We’re very intentional about how we collect, store, and use data. Transparency and security are non-negotiable.”He often describes AI as a partner to human intelligence, not a replacement. “AI can amplify creativity and accelerate discovery,” he says. “It can make connections we might miss. But it still takes human empathy and judgment to decide what to do with that information.”That philosophy drives how his teams design and deploy technology. “We use AI as a lens for innovation,” Yash says. “But it’s not the end goal, it’s a tool that helps us serve people better.”Building and Empowering Global TeamsYash leads with a philosophy rooted in trust, empowerment, and shared accountability. “My job is to create the conditions for my team to succeed,” he says. “That means removing barriers, setting clear goals, and giving people ownership.”He manages a diverse, global team of technologists, engineers, and data specialists. “When you’re leading across geographies and time zones, communication becomes everything,” he says. “You can’t rely on hallway conversations. You have to be intentional about how you share information, set expectations, and build connection.”He believes that culture starts with empathy. “Every person on the team has different motivations,” he says. “Some want to innovate, some want stability, some want to grow into leadership. My role is to help them find that path and make sure they know their work matters.”One of Yash’s favorite leadership practices is storytelling. “Data tells you what’s happening,” he says. “Stories tell you why it matters. When I talk to my team or the board, I use both. People remember stories, they remember how they felt about the work.”That approach has earned him the respect of both technical and business leaders. “You can be the smartest engineer in the room,” he says. “But if you can’t communicate why it matters to the customer, you’re missing the point.”Adapting for the FutureLike many technology leaders, Yash sees the future of work and leadership evolving rapidly. “The technology will always change,” he says. “What doesn’t change is the need for adaptability and curiosity.”He encourages his team to embrace experimentation. “It’s okay to fail,” he says. “If we fail, we do it fast, learn from it, and move forward. The only true mistake is staying still.”Automation and intelligence are key priorities for the years ahead. “We’re building a foundation that scales,” Yash says. “That means designing systems that can adapt to new technologies, new regulations, and new customer expectations.”He also sees leadership itself changing. “The next generation of leaders will be those who can connect technology, empathy, and business strategy,” he says. “A future-proof leader is someone who can navigate uncertainty without losing sight of the mission.”Staying Connected and Continuous GrowthYash is deeply involved in the broader technology and wellness community. He participates in innovation panels, leadership roundtables, and cross-industry collaborations. “It’s important to share what we’re learning,” he says. “Wellness technology is still young. We all benefit when we share insights and best practices.”Continuous learning remains central to his leadership. “I make time to read, listen to podcasts, and learn from my peers,” he says. “You can’t lead in technology if you stop learning. The moment you think you’ve figured it out, you’re already behind.”He encourages his teams to do the same. “We have to model the curiosity we expect,” he says. “If I’m learning something new every day, my team sees that and follows suit.”At Therabody, Yash’s leadership is defined by balance with innovation and integrity, data and empathy, technology and humanity. “We’re using technology to improve people’s lives,” he says. “That’s what keeps me excited. Technology is only powerful when it helps people feel better, move better, and live better.”

Rose Lally’s career began long before cybersecurity was a defined discipline. Her first job out of college was at IDX, where she worked as a programmer and was introduced to a tool called Security Plus. “It was the first inkling of anything related to cybersecurity,” she says. “We would probably equate it today to more of an identity and access management tool, but that’s where I started getting into the concept of people having role-based access or layered security on personal data.”