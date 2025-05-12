With over two decades of experience in cybersecurity in multiple CISO and risk management roles across several industries, Niamh Muldoon is a pioneer. She was the first woman in Ireland to pass her Certified Information Systems Security Professional (CISSP) certification, for which she had to travel to the US. In January 2024, she embarked on a new adventure by taking on a new double role as CISO for Europe, Middle East and Africa (EMEA) and Innovation Lead at the Bank of New York Mellon (BNY), one of the oldest financial service providers in the world. In a recent discussion with Infosecurity, Muldoon explained how innovation feeds BNY’s global cybersecurity strategy. She also shared how the rapid pace of AI advances and their accompanying threats force her and her team to reinvent themselves constantly, making her job challenging and exciting. Finally, Muldoon reflected on the evolution of the profile of CISOs in cybersecurity and emphasized the need for modern CISOs to balance technical skills with an understanding of business and financial constraints.

Infosecurity Magazine: You have an unusual dual role at BNY as EMEA CISO and Innovation Lead. What are your main missions? Niamh Muldoon: BNY has a Global CISO, Matthew McCormack, an International CISO, Gary Delaney, and me as EMEA regional CISO and Innovation Lead. We have a big focus on EMEA because we need to understand cybersecurity regulations, compliance requirements and our extensive client portfolio for this region. My EMEA CISO role is supported by two of BNY’s global teams, the Trust & Services Team and the Business Information Security Officer (BISO) Team. They work with me on preparing updates to clients on BNY’s security program, as well as regulatory and government updates. They're doing the groundwork and providing me with the updates to support me in my role. I’m not in the weeds of daily or weekly access controls. Instead, I'm using my 24 years’ experience in the industry and my knowledge in our portfolio to decide on the direction. I say what our business and the financial services industry need to focus on next. As a regional CISO, I represent the region at a global level, so I need to make sure I have the Global CISO’s support. At the same time, I have an Innovation Lead role, which is what excites me the most. This is a global level role – we work with cyber startups in Asia-Pacific (APAC), America and across Europe. As Matt McCormack, the Global CISO, once told me: "You're the only CISO who makes money for BNY, because you're picking innovative cyber technologies that we invest in to help them grow and develop. You're giving back to the industry but also to BNY's investments." IM: What does this Innovation Lead role look like? NM: My role involves looking at three components: The threat landscape

The existing cyber technology tools and services, such as products from Microsoft, Palo Alto, Okta, Menlo Security, Splunk...

Where there are opportunities to improve our best practices and protect against emerging threats I'm able to understand at an in-depth level how desktop technologies, cloud technologies, data processing technologies, identity platforms, communications services work and know the existing cyber tooling out there, where their weaknesses are and pick the cyber startups proposing an interesting way to address any identified issues, gaps or challenges, so that we can invest in them – in what's known a Trust & Security portfolio. The team I work with as Innovation Lead is known as the Strategic Partnerships & Investment (SPIN) Team. They have two innovation centers – in the US and London. We do an internal quarterly threat review, then we look at our portfolio, at the new tools available in the marketplace and we take feedback from our clients. Then I sit down with the management team, predominantly the Global CISO, to discuss and come up with the focus for the quarter. Then we go out and look at new financial and cyber technology startups to do proof-of-concepts or proof-of-values with. The SPIN team then holds quarterly sessions with clients and stakeholders across BNY at their innovation centers, during which they share some of the new cyber innovations we've looked at, including new tech startup companies.

For us at BNY, these startups enable us to keep one step ahead of cyber threats. From the startups' perspective, they get an industry leader's time and feedback, someone who's built cyber programs in highly regulated environments, about where to develop their products as well as the opportunity to partner with us or have us invest in them. IM: What was your latest focus as Innovation Lead? NM: AI is an excellent example of an area we’re looking into, because the architectures around the latest AI applications are very different to cloud architectures or on-premise architectures, so as an organization you really need to be one step ahead of malicious actors and understand the weaknesses in the architecture that they could try to target. Gartner predicts that AI is going to become a standard technology within less than 12 months – and we're already seeing it. Even in the last 12 months, we've seen a huge shift in AI, with the emergence of multimodal AI or AI agents replacing humans for specific tasks. That’s why 12 months ago, we sat down and looked at cyber startups that have designed product offerings to address those threats targeting AI architectures that existing tools in cyberspace do not address by design. At first, we identified the main threats and vulnerabilities in LLMs and how AI models interact with the existing technology stack we and our clients use. Therefore, we started by looking at tooling from cyber startups that addressed the secure software development lifecycle (SDLC) process. Then, we focused the next step of our roadmap on the interfaces that connect AI models with the end-users, such as chatbots or enterprise prompt boxes. In the roadmap we're looking at, we also want to focus on the data that goes into models. But things change so rapidly and we already have to focus on the next wave of AI threats. IM: What do you think the next wave will be? NM: The next wave of threats could come from AI supporting individuals, with AI agents notably. This raises multiple questions, such as how you manage such an agent from an identity or privilege management perspective. How would you provide assurance that they're only doing what they say they will do? Another interesting area is around behaviors. We conduct a lot of cyber awareness training for threats involving malicious humans, but what do they look like from an agent's perspective in the future? How would you manage the identity aspect of cyber awareness training? Do you put it in your current operating model or keep it separate? Twelve months after looking into cyber offerings securing SDLC processes for LLM models, we're already trying to anticipate what will happen when LLMs replace humans. I've not seen anybody from existing companies, such as Okta or OneLogin – where I used to work – expanding their existing tooling to manage AI agent identities. IM: How do you see the role of CISO evolving in the future? When I qualified in cybersecurity back 24 years ago, the only certification was ISC2’s CISSP and I had to go to the US to do it. I was the first woman in Ireland to qualify. The people who have qualified at the same time or before me are all of retirement age now.

Now, we do have people getting qualified at a highly technical level, but not necessarily building out their risk management framework, understanding of the laws and regulations. That skillset is gone and I don't think we've nurtured it enough to continue to grow. For the last four to five years, people have been promoted to CISO roles and they really don't have the expertise needed across the technology and the business, including negotiating with the professional side of the organization. They haven't been on executive leadership teams and/or reporting to the board before they take on the role. The cybersecurity industry is good at developing the technical side of CISOs but not so much at training future CISOs to understand the business and financial aspects of being a CISO, looking for budgets, defining what you really need and what are just nice-to-haves and being able to pitch to the board and executives so that they understand the risk they're accepting. Additionally, organizations tend to get younger, less experienced professionals as CISOs. They're not going to question and push back on leadership teams as much about budgets and the risks involved. These CISOs sometimes can't articulate – i.e. quantify and qualify – the cyber risk that business executive leadership teams understand and grow not liking the job. This is what is causing the ‘Great CISO Resignation.’

