CIO Influence Interview with Diana Kelley, Chief Information Security Officer (CISO) at Noma Security

Diana Kelley, Chief Information Security Officer (CISO) at Noma Security chats about the state of cyber security and AI with comments on what modern CISOs should focus more on in an evolving market in this CIO Influence interview:

_______________

Hi Diana, share with us a few top of mind CISO best practices and thoughts from your time in SaaS?

Immediately top of mind is the so-called SSO Tax. Enterprises are adopting new SaaS tools everyday and the initial spend looks reasonable until the CISO asks for an upgrade to the enterprise tier to get SSO. While true SSO is a best practice for SaaS, as you can see from this list (https://ssotax.org/), the cost is often non-trivial and can be hard to explain to the C-suite who think they have SSO because of the “login with” feature.

Next is how helpful continuous compliance reporting tools can be for companies adopting new SaaS solutions. While we all know it’s best practice to request the latest SOC 2 Type 2, it’s very helpful to be able to go to a company “Trust” page to see which controls are running and to see information such as their current 3rd and 4th party processors/sub-processors.

Another common best practice is the need to test your SaaS exit plan. Some teams treat SaaS like The Hotel California: you can check in anytime you like, but you can never leave. Data extraction, contract exit clauses, and identity cleanup are rarely tested until a business decides to replace a vendor. Suddenly, you realize your customer data is locked in a proprietary format or that you have thousands of stale service accounts lingering. It’s far less painful to manage these issues in advance.

And finally, I’d add the importance of continuously reviewing SaaS integrations. It feels a little like every SaaS tool wants to connect to Slack, your CRM, or your cloud storage and most of the time each of those connections is effectively an API trust relationship. Left unchecked, they can become sneaky dangerous attack paths. A forgotten “read/write” integration granted two years ago can easily turn into the open side door an attacker slips through. Making integration reviews part of your quarterly SaaS hygiene is a simple but highly effective control.

Where do you see the CISO role headed with all of today’s product innovations in online security and AI?

The CISO role is becoming more important than ever. We’re in charge of online/information security and there’s not much that isn’t online these days! Even physical security has an online component because the visitor logs and camera captures end up in the cloud.

What’s interesting is how differently organizations are drawing boundaries around the CISO role. In some companies, everything operational except the SOC and threat hunting is being carved away from the CISO’s office. Compliance, physical security, identity and access management, security awareness training, and even vendor risk management are handed off to other parts of the business. The CISO in this model looks more like a strategist and advisor who is focused on high-level risk alignment, threat intelligence interpretation, and board communication.

In other organizations, the pendulum has swung in the opposite direction. They’re stacking nearly all operational responsibility under the CISO: compliance, physical security, IAM, security awareness, threat intel, product security, cloud security, you name it. In these shops, the CISO is more like a chief operating officer for security, expected to own every control surface directly.

Neither model is “right” or “wrong”, they reflect culture, maturity, and appetite for risk. I believe that as more tools become AI-augmented, the CISO won’t be expected to micromanage every operational domain because automation and delegated ownership will do more of the heavy lifting. But the CISO will be expected to advise on AI risk governance, validate that security AI is trustworthy, and prepare the enterprise for adversaries wielding their own AI at scale.

What keeps security teams up at night today in a world where threats are becoming more sophisticated?

I’m hearing a lot of concerns around the explosive adoption of AI on three fronts:

How to manage and govern?

AI has become the new “shadow IT.” Tools are being plugged into workflows by eager employees, vendors are embedding generative AI into their products without always being transparent, and data flows are harder to trace. What keeps a lot of CISOs awake is the nagging suspicion that sensitive customer information, like personal financial records, health data, or source code, may already be passing through an unvetted model somewhere in the enterprise. Governance means knowing what AI you have, where it lives, who uses it, and how it touches your data. Without that inventory and oversight, the risk reporting you show the board is woefully incomplete.

How to ensure they are leveraging AI effectively in the SOC?

Security Operations Centers (SOCs) are under constant pressure: alert fatigue, staffing shortages, and increasingly complex attack surfaces. AI offers the promise of faster triage, better correlation, and smarter response. But the practical challenge is training staff to work with AI rather than just bolt it on as a shiny tool. Teams are wrestling with questions like: How do we validate AI-driven detections? How do we tune prompts to minimize false positives? How do we ensure the model’s recommendations are explainable to regulators and auditors? What keeps people awake here is both the FOMO (fear of missing out) on the potential of AI and the risk associated with leaning on it too hard without really understanding its limits.

How to defend against advanced AI threats?

We’ve entered the era of attackers using AI as a force multiplier. Phishing emails are now written in flawless local languages. Social engineering scripts can be adapted in real time. Malware can be auto-generated, tested, and improved by adversarial models. That shifts the scale: instead of an attacker sending a thousand sloppy attempts, you may now face a million tailored ones all at once. CISOs want to be sure that their defenses are prepared for this scale. Is my SOC ready to detect synthetic identities or deepfakes targeting executives? Do my DLP controls protect against prompt injection attacks on customer-facing AI agents?

What are some of the most underrated skills in the roles of security and data protection teams that you think should be more in focus?

AI Prompt Engineering

Right now, AI prompt engineering in security feels like the early days of SOC rule creation: those who know how to do it well, quietly wield enormous power, while the rest wonder why their detections or automations are brittle. Being able to safely and reliably interact with AI models, whether for threat hunting, anomaly detection, or customer support triage, is a skill that will separate high-functioning teams from the rest. It’s not just about “writing good prompts.” Using AI effectively in security work means knowing how to craft prompts that sharpen your analysis, accelerate investigations, and avoid introducing risk. A well-framed prompt can help a SOC analyst summarize thousands of log lines into the three anomalies that matter, or guide a threat hunter to correlate TTPs across multiple data sources without spending hours pivoting manually.

Empathy as a Security Control

The other skill that I see some security teams overlook is empathy. It sounds soft, but empathy is hard-edged in practice. The best security pros understand that it’s not about hammering people with rules; it’s about stepping into the shoes of a developer racing to hit a deadline or a customer success manager trying to save an account, and showing them how to stay within policy without derailing their goals. The real craft is helping the business succeed and stay secure at the same time.

Systems Thinking

Security is rarely about a single tool failing; it’s usually a cascade of small cracks aligning. Systems thinking is the ability to see interdependencies between SaaS providers, data flows, IAM, and human behavior, and to recognize how a misstep in one area ripples across the rest. It’s about uncovering root causes instead of chasing symptoms: not just patching the endpoint malware, but realizing it was enabled by an overly permissive SaaS integration, weak IAM controls, and a rushed onboarding process. The strongest teams use systems thinking to solve problems at the source, breaking the cycle of recurring incidents.

Five thoughts you’d leave every SaaS CIO and CISO with before we wrap up?

1. Get a handle on your AI governance with asset inventory and risk reporting otherwise you may be caught by AI Shadow IT risks. Build an AI asset inventory and make it a standing report in your risk committee reviews.
2. Stand up a Trust Center before someone asks why you don’t have one. Stand up at least a basic Trust portal with your SOC 2, ISO 27001, and other relevant reports, processors and sub-processors, and status updates for uptime and incidents.
3. Don’t get caught without full SSO across your SaaS stack. Run an SSO gap analysis across your SaaS portfolio, prioritize critical providers, and move towards full enforcement.
4. Rehearse your SaaS supply chain incident response. Add a “third-party SaaS compromise” scenario to your tabletop exercises. Test how you’ll revoke integrations, rotate API keys, and communicate transparently to customers.
5. Reassess your data residency and sovereignty commitments. If you can’t answer the customer question, “Where exactly is my data stored and processed?” you could lose deals. Work with legal and compliance to build a data residency map and confirm your providers can back up the claims you make to customers.

Catch more CIO Insights: Hyperautomation’s Global Spotlight: How IT Leaders Are Transforming Processes Across the Tech Landscape

[To share your insights with us, please write to psen@itechseries.com ]