Doug Kersten, CISO of Appsfire, chats about the CISOs’ role in Governance, Risk and Compliance workflows, challenges faced around business risk and compliance, AI in threat security, and more in this quick catch-up.
——
Hi Doug, tell us about your tech journey and your time as Appfire’s CISO.
I have spent the past 20+ years leading security and IT programs for some of the world’s top financial institutions and law firms, always with an eye toward applying strategic planning and people leadership skills to drive business performance, reduce friction, deliver value, and enhance efficiency. I joined Appfire, a leading global provider of software that enhances, extends, and connects the world’s leading platforms, in 2021 as Chief Information Security Officer (CISO). In this role, I’m responsible for maintaining effective information security and incident response programs and fostering a positive security culture.
Appfire has prioritized security since its inception and is committed to upholding the highest standards of data security and compliance. To support this, in 2022 my team launched Appfire’s award-winning Trust Center, which connects customers, partners, and prospects to the latest information on the security, privacy, and compliance of the company’s products and services. To date, Appfire has earned a series of internationally recognized data security certifications, including the International Organization for Standardization (ISO) 27001; ISO 27017; System and Organization controls (SOC) SOC 2, Type l; and SOC 2, Type II.
Also Read:Â CIO Influence Interview with Richard Bird, Chief Security Officer of Traceable
How should modern CISOs look to enhance the entire Governance, Risk and Compliance workflow for modern businesses?
Compliance mandates and regulations have become increasingly complex. While they aim to protect sensitive information and establish standard security protocols, mere compliance does not equate to true security. Each organization has to ensure that their security policies and tools meet the evolving mandates of new and evolving regulations. CISOs and other security leaders have several options that enable them to remain compliant, including obtaining widely recognized data security certifications and investing in solutions that streamline processes and reduce the time it takes to achieve compliance, rather than relying on spreadsheets and retained knowledge.
In many organizations, governance, risk, and compliance teams can often become the largest part of the security team. It’s critical to ensure that collaboration capabilities and relationships are put in place before they are needed and to maintain ongoing communications with areas of the organization that face the customer, like sales, marketing ,and legal.
What top challenges do CISO’s face when it comes to handling industry and business risk and compliance?
For the past several years, scrutiny around security posture has grown significantly. Regulations are constantly evolving to keep up with today’s threat landscape. However, as they continue to roll out at the national, federal and state levels, it’s often difficult to keep up with the sheer volume and speed at which the laws are announced and adjusted. In the upcoming year, I don’t foresee the creation and enforcement of regulations slowing down. Hiring security team GRC specialists that focus specifically on business risk and compliance changes is a new trend that should be used to address these increasing challenges.
What cybersecurity measures should CIOs/CISOs be more vigilant about in 2025?
In 2025, we’ll see cyberattacks become even more sophisticated, with layered attacks facilitated by AI targeting multiple vulnerabilities simultaneously, rather than focusing on a single point of failure. For example, attackers might infiltrate a supplier’s people and systems, deploy ransomware, and exfiltrate data—all while planting backdoors for future access. This evolving threat landscape will pose a significant challenge for organizations that rely too heavily on a single layer of defense while neglecting others.
Companies and individuals need to re-evaluate their security measures and ensure that each layer of defense—whether it’s network security, application security, or endpoint protection—is effective. Those relying on just one layer will need to make adjustments quickly to avoid falling victim to an attack that could permanently affect an organization’s technical resilience. AI will be key in pulling together these multiple sources of security oversight to help security teams identify and respond effectively to security events.
Deepfakes are also a major concern across industries. Bad actors are leveraging sound bites and videos of executives to manipulate employees into providing them access to their organizations. This can have devastating consequences for those who aren’t aware of them. For this reason, it’s important to educate employees on the dangers of deepfakes and other sophisticated attacks, especially with employees being their organization’s first line of defense. Interestingly, safe words will and are becoming a valid security control to counteract these threats.
Can you share a few thoughts around how new age tech and AI is enabling better prevention and threat security measures today?
With cybersecurity threats evolving, the need for an effective cybersecurity posture that can protect any organization against bad actors and attacks is at an all-time high. As a result, security vendors are leveraging AI to proactively detect and alert companies about breaches, in an effort to better safeguard their data. For example, vendors on the market today use AI to perform general queries against company data using natural language to determine if the organization has been attacked or not. This increases the speed with which security teams can identify and respond to threats. Speediness in response has always been a key tenant in a good security operations program. However, AI is putting pressure on security teams to get even better and faster than in the past. AI is being used in attacks, but it is also necessary to use AI in your countermeasures planning to keep pushing that speed and complexity boundary.
Also Read:Â CIO Influence Interview With Karthik Ranganathan, co-founder and co-CEO of Yugabyte
How will the modern CISO’s office and area of delivery evolve as industry trends change?
Traditionally, the role of the CISO is to remain vigilant and up-to-date with evolving threats while simultaneously supporting their organizations by investing and implementing security measures to protect its most valuable asset, its data. This includes safeguarding data for customers, partners and the organization itself. In today’s threat landscape, where bad actors are launching attacks at alarming rates and insider threats are on the rise (where employees knowingly and more often, unknowingly share sensitive information), an organization’s security can’t solely rest on the shoulders of the CISO and their team. To build a strong security posture, security must be a priority for everyone within the company and embedded into its culture.
Compliance and regulatory requirements will also push CISOs to be more aligned with the business. This will also increase personal risk to CISOs regarding liability and similar business risks. CISOs will need to evolve to be more business-focused and ensure the CEO, executive leadership team, and the board understand how information security has the potential to negatively impact the business if not properly managed.
A few actions organizations can take to begin building a strong security foundation include mandating security training for all employees and enforcing a security-first approach for all newly released products. These initiatives help keep security at the forefront of operations and ensure that everyone is well-informed and equipped to contribute to the organization’s overall defense.
[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]
Doug Kersten is the Chief Information Security Officer (CISO) of Appsfire.
Appfire is the leading global provider of software that enhances, extends, and connects the world’s leading platforms to make work flow any way teams want to work, from planning to product ideation, product development, project delivery, and beyond.
