At a time when AI-driven threats are accelerating and budgets are tightening, cybersecurity leaders are being asked to do more than ever—without compromising resilience or long-term impact. In this edition of Cyber Savvy, we sit down with Mike Pitman, Chief Information Security Officer (CISO) at BSI Group, to explore what it takes to secure an organization that’s built on trust, standards, and a commitment to a sustainable future.

From navigating zero-day vulnerabilities to adapting defenses for rapidly evolving threats, Mike shares how his team is balancing innovation with responsibility—using strategic foresight, deep expertise in AI, and a practical approach to risk. Whether you're a fellow CISO or simply passionate about building secure systems for the long haul, this is a conversation worth reading.

What are your biggest security concerns/challenges as a CISO?

A: The things that keep me up at night are the prevalence of zero-day vulnerabilities and the speed at which they can be exploited. By the time the vendors release a patch your systems could already have been compromised, and the attacker could have a foothold in your environment and just be sitting waiting to make their move.

The second thing that concerns me is the speed at which attackers are developing new capabilities to attack organisations. They can develop at breakneck speeds, without the need to adhere to legal, ethical, and moral concerns. And as organizations, we are struggling to keep up.

Finally, the misuse of AI solutions by threat actors to allow them to discover and exploit vulnerabilities, develop large-scale phishing campaigns, and the creation of deepfakes makes today’s security threat landscape a constant challenge

What new challenges do you anticipate in the coming year?

A: Coming off the back of a major four-year transformation programme, which has seen a substantial investment into our Information Security & Network function, our biggest challenge this year is continuing to develop and mature our capabilities, without any significant financial expenditure. We have increased our technology footprint and capability considerably, but the transition from project-related spend into BAU means the whole team is under much greater pressure to continue to be more efficient, effective, and productive without further spend on resources (both people and technology-related).

How is your team adapting to the evolving threat landscape? (advances in AI, increasingly sophisticated attackers, etc.)

A: Within the team, we have a subject matter expert on not only AI Security, but AI in general. They have written numerous articles on the topic and published a book. Utilising their expert knowledge to educate and enlighten the rest of the team, we are more and more prepared for the challenges of AI/ML being incorporated into day-to-day business processes and activities. We are also investing in training across the team to ensure that we have the skills to not only understand the complexities of AI (and how they operate), but the risks and controls needed to ensure they can be used safely within the organisation.

What do you consider your most important success metric?

A: I don’t think success can be boiled down to a single metric, but I think there are two or three key ones that we report on that show our security posture and the success of the measures we have in place. Number of business impact incidents, percent of users reporting phishing emails (as part of simulation exercises), and mean time to contain security incidents.

What are your three biggest goals for the coming year?

A: 1.) Improving our vulnerability management processes and procedures; 2.) Completing our three-year ISO 27001 recertification cycle; and 3.) Improving our DR capabilities and demonstrating that capability to our board and stakeholders

Are there any security leaders, besides yourself, that you look to for guidance?

A: There is a peer-to-peer CISO WhatsApp community in which we share thoughts, ideas, and ask each other questions. It provides peer-related feedback and recommendations on technology, solution providers, and best practices, while providing a collaborative and supportive space for discussion.

What advice do you have for other CISOs or aspiring CISOs?

A: Being a CISO is not about being the best technical person or knowing how to write great code. It’s about understanding how information security risks relate to the business you work for, being able to translate those technical risks into business-related ones, and hiring the right people for the skills you need in your team to manage those risks.

Want to learn more from Mike? You can connect with him here. And check out more CISO insights below!