Building a Risk Narrative: Gary Hayslip’s Cybersecurity Playbook for Executives

In this episode of CyberOXtales, host Neatsun Ziv, CEO of OX Security, sits down with Gary Hayslip, CISO at SoftBank Investment Advisors, to explore how CISOs can build risk narratives that influence business decisions. Gary shares lessons from his experience in five CISO roles and emphasizes why cybersecurity leaders must act as business executives first. He outlines how to align strategy with operations, engage with boards through compelling storytelling, and maintain peer-driven situational awareness in a fast-moving threat landscape.

About Our Guest:

Gary Hayslip is the Chief Information Security Officer at SoftBank Investment Advisors (the Vision Fund). With a career spanning more than two decades, including roles in both government and private sectors, Gary has led security teams at Webroot, the City of San Diego, and more. He’s a systems thinker with a strong operational background rooted in his military service and is known for his strategic approach to cybersecurity leadership.

Connect with Gary: LinkedIn

Key Takeaways:

• CISOs are Business Executives First – Gary emphasizes that cybersecurity leadership today is about managing risk, enabling operations, and supporting business goals.
• Build a Tailored Risk Narrative – A one-size-fits-all story doesn’t work. Risk narratives must reflect the unique needs, operations, and regulatory context of the business.
• Storytelling Drives Strategy – Gary uses risk/threat matrices, control frameworks like NIST CSF, and ongoing assessments to communicate a clear story to executive teams.
• Peer Networks are Essential – Active engagement with fellow CISOs helps benchmark strategy and adds credibility in boardroom discussions.
• Balance Ops and Strategy – Mornings are for operational awareness; the rest of the day is for strategic collaboration, reporting, and forward-looking planning.

Listen to this episode of CyberOXtales to learn how Gary Hayslip builds risk narratives that resonate—from the boardroom to the security operations center.

In this episode of CyberOXtales, host Neatsun Ziv, CEO of Ox Security, explores the evolving role of CISOs in AI-driven companies with Damian Hasse. As artificial intelligence reshapes industries, security leaders must navigate new risks, balance innovation with protection, and ensure compliance with emerging regulations.

Damian shares firsthand experience leading security in an AI company, offering insights into AI-specific threat landscapes, risk management strategies, and how CISOs can build resilient security programs in an environment where data is the most valuable asset.

About Our Guest:

Damian Hasse is an experienced cybersecurity leader with a deep focus on securing AI-driven environments. As the CISO of Moveworks, his expertise spans risk management, security architecture, and governance, ensuring that AI companies can scale while maintaining a strong security posture.

Connect with Damian: LinkedIn

Key Takeaways:

• AI Security is a Moving Target – AI models introduce unique risks, from adversarial attacks to data poisoning. CISOs must adapt quickly to emerging threats.
• Balancing Innovation and Risk – Security leaders in AI companies can’t be the “Department of No.” Instead, they must integrate security into AI development without slowing innovation.
• The Role of Regulation in AI Security – The regulatory landscape for AI is still evolving. CISOs must stay ahead of compliance challenges, from GDPR to AI-specific policies.
• Operationalizing AI Security – Implementing robust access controls, model integrity checks, and continuous monitoring is essential for securing AI pipelines.
• AI Threat Intelligence is Key – Security teams must develop proactive defense mechanisms to protect AI systems from adversarial threat.

This cybersecurity playbook is inspired by Devin Rudnicki’s insights on navigating the CISO role, mastering communication, and aligning security programs with business outcomes, as shared on CyberOXtales.
The Playbook

Objective:

💡 This playbook provides actionable strategies from Devin Rudnicki, CISO at Fitch Group, on navigating the CISO role, building cross-functional security programs, and aligning security initiatives with business outcomes.

Key Goals Include:

• Equip new and aspiring CISOs with a roadmap for their first 90 days.
• Highlight the importance of communication and stakeholder management.
• Provide strategies for aligning security programs with business outcomes.
• Emphasize building cross-functional security committees.

• Speak the Board’s Language: Present risks as business impacts, not technical threats.
• Develop a Risk Narrative: Tie security initiatives to business outcomes using real-world scenarios.
• Create a Security Scorecard: Use clear metrics (e.g., time-to-patch, phishing click rates) to frame progress.

• Meet key stakeholders: Board members, CIO, CRO, and department heads.
• Audit the current security program and identify gaps.

• Develop a draft security strategy aligned with business outcomes.
• Start forming a cross-functional security committee.

• Finalize and present the security strategy to leadership.
• Launch quick-win security initiatives for early impact.

• Form the Committee: Include stakeholders from Risk, IT, Legal, and Operations.
• Establish Regular Meetings: Review security metrics and program updates.
• Assign Ownership: Make security a shared responsibility across departments.

• Conduct Business Impact Analyses (BIA): Identify and protect the most critical business processes.
• Develop Risk Scenarios: Show leadership how security mitigates business disruption.
• Track Outcomes, Not Tools: Measure success through reduced incidents, faster recovery times, and improved risk scores.

• Lead by Example: Participate in security tool evaluations and incident response exercises.
• Bridge Technical and Executive Teams: Translate complex technical challenges into business language.
• Mentor the Team: Share experiences from your own career to develop talent.

In this episode of CyberOXtales, host Neatsun Ziv, CEO of OX Security, sits down with Rohit Parchuri, CISO at Yext, to discuss the art of building a culture of security within organizations. Rohit shares his journey from a budding cybersecurity enthusiast in South India to becoming a strategic leader responsible for managing cyber risk at the executive level.

The conversation delves into the complexities of the CISO role, the significance of a structured cyber risk program, and the importance of aligning security efforts with business priorities. With actionable insights, Rohit highlights how organizations can empower their teams, establish risk committees, and seamlessly integrate audit processes to create a resilient cybersecurity strategy.

About Our Guest:

Rohit Parchuri is a seasoned cybersecurity professional and the Chief Information Security Officer at Yext, where he oversees strategic risk management and cybersecurity operations. With a technical foundation in electronics and communications and a passion for understanding cyber risks, Rohit has navigated diverse roles in network security, compliance, application security, and governance. His approach combines technical acumen with a focus on empowering organizations to embrace a culture of security.

Connect with Rohit: LinkedIn

Key Takeaways:

• Security Culture Is Key: Driving a company-wide culture of security ensures every employee contributes to the organization’s safety.
• Risk Management Should Align with Business Goals: Cyber risk programs should reflect the organization’s strategic priorities and compliance obligations.
• Communication Matters: Translating technical cybersecurity risks into language executives can act on is crucial.
• Collaboration Drives Success: Establishing committees and fostering teamwork ensures cohesive and effective cybersecurity efforts.
• Audit Integration Enhances Oversight: Seamlessly integrating audit processes into risk management provides a unified view of organizational risks.

In this episode of CyberOxTales Podcast, host Neatsun Ziv, CEO of OX Security, interviews Sam Rehman, Global CISO at EPAM, about the critical role of password and secrets management in cybersecurity. The discussion covers building a culture of security, fostering collaboration across teams, and the evolving role of CISOs in modern organizations. Sam shares actionable advice on embedding security into organizational workflows and addressing industry-specific challenges.

About Our Guest

Sam Rehman is the Chief Information Security Officer, SVP at EPAM with over 35 years of experience in cybersecurity. Known for his strategic approach, Sam has been instrumental in fostering security culture and aligning security practices with business goals. His expertise spans managing risks, addressing vulnerabilities, and implementing innovative solutions in complex environments.

Connect with Sam: LinkedIn

Key Takeaways

• Passwords should never be hard-coded into code.
• Security awareness starts with developers understanding risks.
• Injecting security champions into projects enhances security culture.
• CISOs are evolving from gatekeepers to collaborative partners.

In this episode of CyberOxTales Podcast, host Neatsun Ziv, CEO of OX Security, welcomes Mario Duarte, former CISO at Snowflake. They discuss the complexities of securing CI/CD pipelines and non-human identities, shedding light on why these areas are often overlooked and how to communicate their importance to both technical and non-technical stakeholders.

About Our Guest:

Mario Duarte is the former CISO of Snowflake, where he built the security team from scratch. With over 25 years of experience in the security industry, Mario now advises, invests, and speaks on security topics such as CI/CD and non-human identities.

Connect with Mario: LinkedIn

Key Takeaways:

• Development and QA environments are less controlled than production, making them prime targets for attackers.
• API keys and tokens often "move around" in development environments, increasing the risk of exploitation.
• Handling widespread vulnerabilities requires clear communication with management and an understanding of how vulnerabilities manifest in production.
• Mario emphasizes the importance of storytelling to explain security risks in relatable terms to both developers and executives.

In this episode of CyberOXTales Podcast, host Neatsun Ziv, CEO of Ox Security, sits down with David Corral Morgadez, Global Head of Cybersecurity Architecture at Repsol. They delve into the evolving landscape of Operational Technology (OT) security, discuss the integration of OT and IT environments, and explore the unique challenges faced in securing OT systems. David provides expert insights into how OT security is changing and what the future might hold for this critical field

In this episode of CyberOXTales Podcast, host Neatsun Ziv, CEO of OX Security, welcomes Yabing Wang, VP, Information Security & CISO of Justworks. They explore how to effectively communicate cybersecurity risks to the board, avoid common pitfalls in board presentations, and align cybersecurity with business priorities. Yabing shares her unique experience bridging technical and business leadership roles, offering practical advice for security professionals at the executive level.

About Our Guest:

Yabing Wang is the VP, Information Security & CISO of Justworks, a New York-based company specializing in payroll, benefits, and insurance services. With over 20 years of experience in cybersecurity and former roles at Netscape and HEB, Yabing has a rich background in both technical and executive leadership.

Connect with Yabing: LinkedIn

Key Takeaways:

• Use plain language and relatable examples when communicating cybersecurity risks to non-technical board members.
• Avoid focusing solely on metrics. Frame the data within the broader security context to show progress and highlight key risks.
• While CISOs act as advisors on risk, business owners should ultimately own the risk decisions.
• Yabing discusses the benefits of reporting to general counsel versus traditional IT reporting lines, offering unique visibility to the board.
• Yabing shares details about his new book, 97 Things Every Application Security Professional Should Know, a comprehensive guide for security professionals.

In this episode of CyberOXTales Podcast, host Neatsun Ziv, CEO of Ox Security, welcomes Tyson Kopczynski, a former CISO with over 20 years of experience in healthcare and FinTech. They discuss the concept of 'near hit' incidents, communicating cybersecurity risks to management, and the importance of a structured incident response plan. Tyson shares practical advice on how to approach communication with different stakeholders during incidents and reflects on his new role as a virtual CISO, contrasting it with being a full-time CISO. The episode provides valuable insights into effective incident management and adaptive cybersecurity strategies.

About Our Guest:

Tyson Kopczynski is a seasoned cybersecurity professional with over 20 years of experience in the industry. He has served as the Chief Security Officer (CSO) at Aledade and Oportun, working extensively in the healthcare and FinTech sectors. Tyson is a respected industry expert, author, and speaker, collaborating with various venture capitalists and startups. Currently transitioning to a Virtual Chief Information Security Officer (vCISO) role, Tyson aims to leverage his expertise to help organizations enhance their security practices.

Connect with Tyson: LinkedIn

Key Takeaways:

• Effective communication with management during incidents involves presenting a structured plan and keeping stakeholders informed.
• Engaging with the board requires a more informative and high-level approach to provide confidence in the security response.
• Structured incident response plans help maintain control and mitigate risks during cybersecurity incidents.
• Transitioning to a vCISO role offers a fresh perspective and diverse experiences to assist organizations in bolstering their security postures.

Listen to the full episode here. Stay tuned for more insightful stories, scenarios, and cybersecurity playbooks on CyberOxTales!

In this episode of CyberOxTales Podcast, host Neatsun Ziv, CEO of Ox Security, interviews Eli Edelkind, Head of Cybersecurity at CAVA, shedding light on the pivotal role of visibility in cybersecurity practices. Eli emphasizes the evolution of cybersecurity towards prioritizing visibility to enhance risk management and control efficacy. Through insightful anecdotes and practical examples, Eli illustrates how a proactive approach to visibility enables organizations to fortify their cybersecurity posture and navigate evolving threats effectively.

About Our Guest:

Eli Edelkind is a seasoned cybersecurity professional currently serving as the head of cybersecurity at CAVA, a fast-casual Mediterranean restaurant chain expanding nationwide. With a wealth of experience in the cybersecurity domain, Eli excels in establishing visibility, risk prioritization, and effective communication strategies within his organization. His expertise lies in aligning cybersecurity initiatives with business objectives, providing a secure environment while enabling operational efficiency.

Connect with Eli: LinkedIn

Key Takeaways:

• Establishing visibility is paramount in cybersecurity to effectively understand risks and prioritize tasks.
• Prioritizing risks based on people, applications, and infrastructure allows for targeted security control implementation.
• Cybersecurity professionals should communicate potential risks transparently to stakeholders, aligning with business objectives.
• Keeping pace with state-specific privacy regulations is essential in industries like restaurants to ensure compliance.
• Collaborating with legal teams, industry networks, and internal stakeholders aids in adapting cybersecurity strategies to evolving regulatory landscapes.

Listen to the full episode here. Stay tuned for more insightful stories, scenarios, and cybersecurity playbooks on CyberOxTales!