10 Most Influential CISOs You Should Follow in 2026

In December 2023, three days before Christmas, MongoDB sent an email to its customers.

A threat actor had gained unauthorized access to MongoDB corporate systems. Customer account metadata had been exposed. For some customers, phone numbers and email addresses. For one customer, system logs.

Lena Smart was MongoDB’s CISO. She had been warning her team for years that the question was never whether a breach would happen. It was whether you’d know about it fast enough to matter, and whether the systems you’d built could limit the damage when it did. The MongoDB breach became one of the more studied incident response cases of that year, not because of what was stolen, but because of how quickly it was detected, contained, and disclosed. The kind of outcome that only happens when someone has spent years building toward it before the attackers show up.

That is the gap that separates good security leadership from reactive security theater.

Every year on June 4, National CISO Day, the industry takes a moment to recognize the people carrying that weight. The role has transformed. CISOs are the people who sit in front of boards, advise on acquisitions, shape product decisions, and make the case for why security is a business driver, not a cost center. The best ones have moved the conversation from threat chasing to exposure management, from quarterly audits to continuous visibility, from locking the door after the break-in to understanding what was exposed before anyone tried to get in.

We built this list around one question: whose thinking actually changes how organizations approach security? Not the loudest voices but the CISOs whose frameworks, research, writing, and public work make the people who follow them genuinely better at the job.

These 10 have done that. They have led security programs at some of the world’s largest platforms, written the books that practitioners carry into boardrooms, built the mental models that security teams use to think about exposure, and held the line in rooms where the pressure to cut corners was enormous.

If you are responsible for web security, application security, third-party risk, or understanding what is actually exposed on your attack surface, some version of their thinking is already shaping how you work. Whether you know it or not.

10. Sounil Yu

Platform: LinkedIn, X

Focus: Security frameworks, AI safety, Cyber Defense Matrix, exposure mapping, third-party risk quantification

Sounil Yu spent years watching security teams buy tools they could not evaluate, build programs they could not measure, and respond to threats they could not map. So he built a framework to fix it.

The Cyber Defense Matrix is now used by CISOs at some of the world’s largest organizations to map their security capabilities against real attack vectors, identify coverage gaps, and make purchasing decisions based on what they actually need rather than what vendors are selling. It is one of the most practical frameworks to emerge from the practitioner community in the last decade, and it was built entirely from the experience of someone who had lived the problem.

Sounil served as CISO at JupiterOne and Chief Security Scientist at Bank of America, and now co-founds Knostic, focused on AI safety in enterprise environments. He has also served as CISO-in-Residence at YL Ventures, advising security startups from the buyer’s side of the table.

Why his voice matters:

The Cyber Defense Matrix maps security capabilities against actual attack vectors, which means it maps directly to the exposure problem. It forces teams to ask not what tools they have, but whether those tools cover the things attackers will actually exploit. In a world where third-party scripts, web supply chain risk, and client-side exposure are routinely invisible to traditional security stacks, that kind of structured gap analysis is exactly what most organizations are missing.

What makes him influential:

He built a tool the industry needed before the industry knew it needed it. The Cyber Defense Matrix is now part of how serious security programs think about coverage. His move into AI safety signals where the next exposure frontier is. When Sounil Yu publishes thinking, practitioners pay attention because it tends to arrive about two years before the rest of the industry catches up.

9. Lena Smart

Platform: LinkedIn

Focus: Cloud security, enterprise risk, security culture, developer-integrated security, board communication

Lena Smart left school at 16 in Scotland, started her career in a single-parent household without university access, and worked her way from tech support to CISO of a $16 billion company. That path matters not because it is unusual, but because it shaped how she thinks about security: practically, from the ground up, with no patience for theater.

As CISO at MongoDB, she built a security program inside one of the fastest-scaling database companies in the world, where the pressure to ship fast always competed with the pressure to ship safely. She also led the response to MongoDB’s 2023 security incident, which became a reference case for how disclosure and containment should work. Before MongoDB, she served as Global CISO at Tradeweb and as CIO and Chief Security Officer at the New York Power Authority, the largest state power organization in the country. She is a founding member of Cybersecurity at MIT Sloan, a collaborative body connecting academia and private sector security leadership.

Why her voice matters:

Lena has spent her career securing platforms where third-party integrations, cloud dependencies, and developer velocity are all in constant tension with security posture. Her thinking on how to maintain visibility across a fast-moving engineering organization is directly relevant to the challenge of web supply chain risk, where the code your team did not write and cannot fully see is often the code that gets exploited.

What makes her influential:

She talks about security the way practitioners actually experience it, without the abstraction that makes so much CISO content useless on the ground. Her Security Champions program at MongoDB, which trained cross-functional employees to identify and raise security issues, became a model for embedding security culture without slowing development. She is one of the rare CISOs whose thinking translates directly from the boardroom to the engineering team.

8. Alyssa Miller

Platform: LinkedIn, X, Blog

Focus: Application security, DevSecOps, penetration testing, risk communication, security leadership

Alyssa Miller bought her first computer at 12 and taught herself to hack. Her career started as a penetration tester in financial services, moved through application security consulting, and arrived at the CISO seat at Epiq Global, where she now leads security for a global legal services company operating in some of the most heavily regulated environments in the world. She is also the author of Cybersecurity Career Guide and a pilot.

She is known for bridging two worlds that often fail to connect: the technical depth of offensive security and the business language of executive leadership. Her content does not choose between those audiences. It holds both, which is why practitioners and CISOs follow her in roughly equal numbers.

Why her voice matters:

AppSec is where web exposure lives at the code level. The vulnerabilities that enable client-side attacks, script injection, API misconfiguration, and third-party library risks are not sophisticated zero-days. They are insecure development practices that survive because security and engineering never learned to speak the same language. Alyssa has spent her career closing that gap. Her work on developer-integrated security directly addresses the upstream source of most web exposure.

What makes her influential:

She is one of the most authentic voices on what it actually feels like to be a security leader, not the conference-keynote version, but the version that involves difficult board conversations, resource constraints, and decisions made with incomplete information. Her X presence and LinkedIn content consistently generate real conversation rather than engagement-bait. Over 20 years of practitioner experience means that when she offers a framework or a take, it has been stress-tested against reality.

7. Joanna Burkey

Platform: LinkedIn

Focus: Enterprise cybersecurity transformation, board-level security governance, diversity in technology, risk management, digital transformation

Joanna Burkey spent years at HP Inc., one of the world’s largest technology companies, running a global security program that spanned endpoints, infrastructure, supply chain, and product security across dozens of countries. She has lived and worked in both the US and Europe, which gives her a more expansive view of regulatory complexity than most of her peers. She holds a computer science and mathematics background from Angelo State University and the University of Texas Austin, and a certificate in Finance and Accounting from Stanford GSB.

Since leaving the CISO seat at HP Inc., she has moved into board governance, serving as an independent director at Beyond Inc. and CorVel Corporation, and as chair of the risk and compliance committee at ReliabilityFirst. She was named to the Top 100 CISOs list in 2022 and has been published in Tribe of Hackers: Security Leaders. She is a fellow at the Center for Strategic and International Studies in Washington DC.

Why her voice matters:

HP’s security program under Joanna encompassed endpoint security, supply chain risk, and product security at a scale that few CISOs ever manage. Her experience securing a company that both produces and depends on third-party technology gives her a distinctive view of where supply chain exposure actually accumulates. Her move into board governance means she is now translating that operational experience into the language that determines security budgets and priorities at the highest level.

What makes her influential:

She represents where the most effective security leadership is headed: out of the technical silo and into the rooms where business decisions are made. Her writing and speaking on how CISOs should communicate with boards is practical, direct, and based on having sat on both sides of that table. In a field that often treats board communication as a soft skill, Joanna treats it as a technical discipline.

6. Michael Coates

Platform: LinkedIn, X

Focus: Web application security, browser security, OWASP, AppSec, platform security at scale

Michael Coates is the only person on this list who has served as CISO at three different platforms, and two of them are browsers or browser-adjacent: Mozilla, which builds Firefox, and Twitter, where he was the inaugural CISO. He later served as CISO at CoinList before co-founding Altitude Networks, a cloud data security company acquired in 2022. He now runs Seven Hill Ventures, a cybersecurity venture firm, and previously chaired OWASP, the largest nonprofit in the world focused on software security.

His career started on the offensive side. Before becoming a CISO, he was a hands-on hacker, breaking into banks, governments, and telecoms to find vulnerabilities before attackers did. That background never left him. He thinks about security the way attackers do, and his public writing reflects it.

Why his voice matters:

Mozilla and Twitter are two of the most attack-targeted platforms on the internet. Securing them requires a deep understanding of how client-side code executes, how browser behavior creates exposure, and how third-party integrations introduce risk that internal teams cannot fully control. His tenure at OWASP, the organization that defined the standards for web application security, means his thinking shaped how an entire generation of security practitioners was trained. That institutional influence is still active in every OWASP Top Ten list and every AppSec program that traces its methodology back to that work.

What makes him influential:

He brings the attacker’s perspective to executive security leadership, which is rarer than it should be. His current work backing early-stage security companies means he is evaluating the next generation of security tools from a position of deep practitioner experience. When he writes about web security or application risk, it is not theory. It is the lived experience of someone who has been inside some of the most complex attack surfaces on the internet and responsible for their defense.

5. Alex Stamos

Platform: LinkedIn, X

Focus: Platform security at scale, web application security, privacy enforcement, AI security, election security

Alex Stamos resigned from Yahoo as CISO after the company complied with a classified government order to scan all incoming email on behalf of U.S. intelligence agencies. He had not been consulted. When he found out, he tried to quit. That decision, choosing users over compliance with a surveillance request, defined how the security community came to see him: as someone who treats user protection as a genuine obligation, not a marketing position.

He went on to serve as Chief Security Officer at Facebook, where he led the company’s investigation into Russian interference in the 2016 election, testified before government committees on six continents, and oversaw security for 2.5 billion people across Facebook, Instagram, and WhatsApp. He later co-founded the Krebs Stamos Group with Chris Krebs and joined Stanford to found the Internet Observatory. He now serves as Chief Security Officer at Corridor, an AI security startup focused on preventing vulnerabilities from being introduced by AI-generated code.

Why his voice matters:

Facebook’s security program under Alex operated at a scale and complexity that almost no other organization has ever faced. The challenge of securing a platform where billions of users interact with third-party content, external applications, and data-sharing integrations is, in many ways, the purest version of the web exposure problem. His willingness to confront uncomfortable truths publicly, about his own organization’s failures, about what platform security actually requires, has made his perspective unusually valuable to practitioners who are tired of the sanitized version.

What makes him influential:

He combines operational depth with intellectual honesty in a field that does not always reward the latter. His Stanford work on AI security and election integrity has shaped how policymakers and technologists think about the next generation of platform risks. His move to Corridor signals where he believes the exposure frontier is moving: AI-generated code that developers cannot fully audit, running in production environments, with vulnerabilities baked in from the moment it was written.

4. Allison Miller

Platform: LinkedIn

Focus: Payments security, fraud prevention, real-time risk detection, platform trust, privacy

Allison Miller has spent 20 years building the systems that protect transactions, platforms, and people at internet scale. Her career ran through Visa, PayPal, Bank of America, Google, Electronic Arts, and Reddit, where she served as CISO and VP of Trust. The “Trust” in her title at Reddit was deliberate. Her view of security has always been broader than the technical perimeter: it encompasses fraud, safety, privacy, and the user-facing integrity of the platform itself.

She now runs Cartomancy Labs, an advisory firm focused on the intersection of people, money, and technology. She is one of the few security executives who has built and led real-time risk prevention systems operating at genuine internet scale, the kind of systems that make decisions in milliseconds about whether a transaction is legitimate or a session is compromised.

Why her voice matters:

The overlap between her career and Reflectiz’s world is direct. Payments security, third-party risk, web skimming, PCI compliance, and the exposure of checkout environments are all areas where her experience is immediately applicable. She has spent two decades building defenses for exactly the kind of web surface that Magecart attacks, third-party script abuse, and client-side skimming exploit. Her work at Reddit on platform trust also gives her a distinctive view of how third-party integrations create exposure that security teams cannot see from the inside.

What makes her influential:

She is one of the clearest thinkers in security about what it actually means to protect users, not just systems. Her framing of trust as a technical discipline, something that has to be engineered and measured, not assumed, reflects a maturity that most security programs are still working toward. Her advisory work at Cartomancy Labs means that thinking is now reaching a much wider range of organizations than any single employer could.

3. Rinki Sethi

Platform: LinkedIn, X

Focus: AppSec, enterprise risk, cloud security, security culture, Zero Trust, critical infrastructure

Rinki Sethi’s career reads like a tour of the most demanding security environments in the technology industry. She has served as CISO at Twitter, Rubrik, and IBM, and in senior security roles at Palo Alto Networks, Intuit, eBay, Walmart, and PG&E. She was one of the co-developers of the first national cybersecurity badge curriculum for the Girl Scouts of America. She now serves as Chief Security Officer at Upwind Security, a cloud security company that reported 4,000 percent year-over-year revenue growth in 2024.

At RSAC 2025, she joined a standing-room-only session on the surge of Chinese cyber campaigns targeting critical infrastructure, speaking alongside former NSA and DOJ leadership. Her framing was unambiguous: the air-gap mindset is no longer viable, Zero Trust must extend to operational technology, and the speed of AI-driven attacks has made manual SOC response inadequate at scale.

Why her voice matters:

Rinki has secured platforms that are simultaneously some of the most targeted and most complex environments in cybersecurity. Twitter’s scale and visibility made it a permanent target for nation-state actors, organized crime, and internal risk. Her experience at IBM and Palo Alto Networks adds enterprise and vendor-side depth that most CISOs lack. Her current work in cloud security at Upwind, focused on runtime-based detection rather than static scanning, reflects exactly the shift from reactive monitoring to continuous exposure awareness that defines the next generation of security programs.

What makes her influential:

She has held the CISO seat through some of the most difficult moments in recent platform security history and spoken publicly about what she learned. Her emphasis on AI-driven detection, resilient architecture, and operational readiness as active investments rather than aspirational goals is a practical framework that security leaders at any scale can apply. She is also one of the most active CISO voices on LinkedIn when major security events unfold, which means her commentary is reaching practitioners at exactly the moment they need it.

2. Myrna Soto

Platform: LinkedIn, X

Focus: Enterprise risk, compliance, board-level security governance, diversity in security leadership, financial sector security

Myrna Soto has been named to ALPFA’s 50 Most Powerful Latinas in Business list multiple times, ranked number one in 2019. She has also been CISO at some of the largest enterprises in America, including Comcast, where she served as Corporate SVP and Global CISO, and MGM Resorts International. Before that, she built security programs at American Express, Royal Caribbean, Norwegian Cruise Lines, and Kemper Insurance. She now advises boards, invests in cybersecurity companies through ForgePoint Capital, and serves on multiple public company boards.

Her background is unusual even by CISO standards. She holds a Master of Science in Industrial Psychology, an MBA, and a Masters Certification in Program Management. That combination of technical security depth, business strategy training, and behavioral science is not an accident. She has spent her career thinking about security as a human system, not just a technical one, and her approach to building security culture reflects it.

Why her voice matters:

Enterprise risk, regulatory compliance, and the gap between what boards think they understand about security and what they actually need to know are the areas where Myrna has spent 30 years. Her experience at Comcast, a company that operates as both a major internet infrastructure provider and a consumer platform with hundreds of millions of data touchpoints, gives her a view of third-party risk and web exposure at a scale that very few security executives have managed. Her current work advising boards means she is now translating that experience into the governance decisions that determine how seriously organizations take their exposure.

What makes her influential:

She has been right about the direction of enterprise security for three decades, and she has been willing to say it in rooms where the message was not always welcome. Her work on the intersection of compliance and real security, arguing that compliance frameworks often create the illusion of protection rather than actual risk reduction, is exactly the kind of structural critique that moves the industry forward. Her voice carries weight because it comes with receipts: decades of building and running programs that worked.

1. Phil Venables

Platform: LinkedIn, X, Blog

Focus: Cloud security, enterprise risk, AI security, third-party risk, security architecture at scale, CISO leadership frameworks

Phil Venables has been a CISO at four different organizations over 30 years. He was the first CISO of Google Cloud, where he built and led the global risk, security, compliance, and privacy teams from 2020 until 2025. Before Google, he served as CISO at Goldman Sachs for 17 years. Before that, CISO at Deutsche Bank. His career began in 1992 as an Information Security Manager at Barclays Bank.

He helped found the Center for Internet Security. He served on the President’s Council of Advisors on Science and Technology under two administrations. He advises the Bank of England, the Monetary Authority of Singapore, and the Port Authority of Singapore. He is now a Venture Partner at Ballistic Ventures and a strategic security advisor at Google, where he continues to publish one of the most read CISO blogs anywhere on the internet.

His writing does not operate at the level of buzzwords. It operates at the level of engineering discipline. Posts on API security, cloud architecture, third-party risk quantification, and how to translate security posture into terms that boards can act on are the kind of content that practitioners save and return to. He is, by most measures, the most credible CISO voice currently active on the internet.

Why his voice matters:

Google Cloud’s security program, under Phil’s leadership, had to solve the exact problems that define modern enterprise exposure: API security at scale, third-party risk across a global supply chain of cloud dependencies, client-side encryption, continuous threat monitoring across millions of customer environments. His thinking on these problems is the product of decades of practitioner experience at the highest levels of the industry. His blog posts on exposure management, cloud security architecture, and the evolving role of the CISO are not thought leadership in the marketing sense. They are working documents from someone who has built the systems he is writing about.

What makes him influential:

He is one of a very small number of people who can write with equal authority about the technical architecture of a security program and the governance structures that make it sustainable. His thinking on the CISO role, specifically on how the role is evolving from technical overseer to Chief Digital Risk Officer, is shaping how organizations define the position and what they expect from the people who hold it. After 30 years at the forefront of enterprise security, his perspective on what actually moves the needle is the perspective the rest of the field is still trying to catch up to.

Why These Voices Changed Security

These ten CISOs did not build their influence by posting more than everyone else. They built it by being right about things that mattered before the rest of the industry caught up.

They built the frameworks that practitioners use to think about coverage gaps. They secured the platforms that attackers spent years trying to break. They wrote the books that security engineers carry into job interviews and board presentations. They held the line when the pressure to cut corners was enormous, and then wrote about what that experience actually taught them.

They proved, collectively, that the most dangerous risk is the one you cannot see. Not the attack that triggers your alert. The exposure that already existed before anyone started looking. A misconfigured API. A third-party script with access it was never supposed to have. A checkout flow that passes every compliance scan and still leaks payment data to a domain no one recognized.

That is the problem these voices have spent their careers defining, measuring, and working to solve. Not chasing threats after the fact. Eliminating the exposure that makes threats possible in the first place.

Every tool reacts to attacks. The real risk lives in your exposure.