CISO Conversations: Robin Bell of Egress on CISO's Role in M&As

Egress CISO Robin Bell is fresh out of a pivotal business transaction. In July, the UK-based company providing security software for digital communication and documentation was acquired by security awareness training major KnowBe4. With decades of experience across industries ranging from telecommunications to SaaS security, Robin has played a key role in aligning security strategies and ensuring operational continuity through this high-profile merger. 

In this installment of CISO Conversations, Robin Bell sits down with Chandu Gopalakrishnan to discuss the evolving role of CISOs in navigating major business decisions, such as M&A activities, while balancing the risks that come with increased visibility and operational change. His journey offers unique insights into how security leaders can step beyond operational roles to become strategic facilitators during major business developments. Here are the highlights from their conversation:

The recent acquisition of Egress by KnowBe4 represents a transformative period. From a CISO’s perspective, what have been the key priorities during this transition, and how do you ensure that security operations align with the new business environment?

We're all incredibly excited about the potential the acquisition offers our customers and our employees! We truly are 'better together' and the teams in both companies have approached the acquisition with this mindset. This means a key priority for all programs has been keeping the best of what we have to offer, learning from each other's experiences, and truly leveling up together. My personal priority has been coaching and supporting my team through the ongoing delivery and success of our current security strategy, taking into consideration all the active and anticipated requirements we have prior to the full integration while contributing to the forward planning of this future state. It's also been incredibly important to provide ongoing assurance for our customers that we're assessing any and all changes implemented in policies, processes, and technology to ensure there's no degradation in our security positive and that we're leveraging every opportunity to raise the bar and continue delivering a world-class customer experience, of which our security and compliance is a key element.

In your experience, what are the most pressing cybersecurity risks that arise during mergers or acquisitions, especially when integrating two organizations with distinct security frameworks?

To turn an old saying on its head, in cybersecurity it's what you don't know that will hurt you! A top risk as two companies integrate is lost visibility or lack of visibility in the first place. Bringing two companies together can involve introducing new systems or applications into the parent company and sometimes handing them over to different employees to manage. The security teams on both sides must have a full picture of the technology used by every department, so they can ensure no rise in shadow IT can create vulnerabilities.

There's also the risk that changes can take place at pace, without proper communication and engagement. It's important to keep the stakeholders on both sides engaged, not just the security teams. A key role of security teams is collaborating with stakeholders to understand the guidelines and constraints.

Additionally, looking 'outside' the companies at the threat landscape, cybercriminals weaponize our 24-hour news cycle, frequently jumping on breaking news or changes as a fresh avenue of attack. As M&As are typically highly publicized events, cybercriminals can gather and weaponize OSINT to create targeted attacks - for example, impersonation phishing emails that offer 'new information' for employees within either the organization or the M&A supply chain. Anticipating and proactively defending against these attacks should be a top priority at this time of increased visibility and, therefore, risk.

That calls for a change in role definition, or at least the perspectives around it. Can CISOs become proactive facilitators in major business moves, such as mergers and acquisitions, rather than being seen as reactive or operational roles?

This comes down to the role of the CISO within the organization before an M&A occurs. If you're only seen as reactive or operational before an M&A occurs, then it's going to be difficult to be seen as strategic when a project like an M&A comes along! This involves elevating the role of the CISO within the organization, always contributing to the overall strategic direction of the business and aligning security initiatives with business goals, actively demonstrating how security is an enabler. You need to develop and communicate a forward-looking security strategy and then quantify its impact on the bottom line and other business objectives. Strong relationships with other C-level executives and a collaborative approach to working cross-functionally with other teams are also top priorities.

Once this foundation is built, security - and importantly, the CISO role - will be seen as facilitators of 'everyday' business, which makes it more likely they'll be given a strategic seat at the table when major projects, such as an M&A, change the direction of a business.

You’ve witnessed the evolution of cybersecurity from handling simple virus attacks to defending against targeted, large-scale assaults. However, many business leaders still view security through a traditional, reactive lens. How do you convince them about the importance of proactive steps such as continuous asset discovery and automated penetration testing?

Every successful cyberattack provides a learning opportunity - not only for the organization(s) involved but for everyone in the security community, provided we're willing to engage and develop. All business leaders can agree they don't want to be the next company hitting the headlines - so it falls to a CISO to strategically analyze these breaches, learning from information shared in the press and networking with other CISOs, filtering the relevant information to uncover new potential vulnerabilities. Importantly, this isn't about scaremongering: it's about coming together as a community to learn from previous incidents so that we can all be stronger together.

From there, it's about having a game plan for the types of technologies that can enable the organization to identify risks to enable proactive management, including systems such as platforms for continuous monitoring and penetration testing, as well as a dashboard that presents a hyper-accurate view of human risk across the organization, so you're getting different information from different systems.

Finally, it's important to elevate the results of this approach. Some business leaders can fall into the trap of 'out of sight, out of mind' when it comes to proactive threat management. Continually demonstrating the value of these systems and the ways threats have been eliminated before they materialize will simultaneously demonstrate ongoing ROPI and elevate a CISO to a more strategic position within the business.

From a CISO's perspective, how important is incorporating an attacker’s mindset into your security strategies? Can you share an instance?

CISOs must absolutely 'think like a hacker'. We have a Red Teaming capability to specifically focus on how attackers might target us and to think of different ways they could breach our security through our IT infrastructure and our products and services. I think it's a key part of a security function to not only think 'outside the box' for unexpected scenarios but to also work closely with our SOC function to ensure we are detecting and responding to activity and events.

The recent explosion of AI is a good example of how some CISOs adopted a hacker's mindset. As new technologies were emerging, strategic CISOs were examining how these would be used in the hands of cybercriminals. GenAI, for example, has been rapidly adopted by cybercriminals to create highly sophisticated and targeted social engineering phishing attacks at an unprecedented scale. These can get through existing signature-based defenses, which are looking for a 'traditional' malicious payload (such as a phishing hyperlink or malware attachment). To counter this, the strategic CISO has harnessed AI-driven defenses that use natural language models capable of analyzing, detecting, and neutralizing these threats.

Additionally, by leveraging AI-powered security solutions, companies can simulate attacks, test their defenses, and gain valuable insights into how attackers might exploit their networks. This 'fight fire with fire' approach ensures that organizations are not just reactive but strategically prepared to navigate a constantly shifting security environment.

Over the years, you’ve worked across multiple industries, managing cloud platforms, SaaS operations, and enterprise security. If a young professional were to aspire to build a career in your domain—where security intersects with cloud and SaaS—what practical steps would you recommend they take? How can they gain meaningful experience that sets them apart?

A true growth mindset, open mind, and dedication to continually learn are crucial for those looking to build a career in cybersecurity. Not only will this mean they're able to maximize every learning opportunity they're presented with while upskilling, but they'll remain relevant in a rapidly evolving profession. A strong technical foundation is key and it's important to obtain key certifications, such as those in cloud platforms and security (e.g. CISSP, CCSP), as well as learn about current DevSecOps tools and stay current with emerging technologies.

I also encourage someone to be curious within their role. By that I mean, asking "why?" to develop a deep understanding of the situation and what needs to be done. This often means not accepting the first response to "Why?" but digging further instead.

Softer skills are also important - as we've talked about here, a proportion of many CISOs' roles is about managing perception within the business and alignment with strategic priorities. You need to be able to communicate complex technical concepts to non-technical audiences, understand project management to ensure key streams stay on track, and understand how to work cross-functionally to deliver successful outcomes. To do that you need to develop a broad understanding of how teams within the business work and communicate in their language and terms; especially where security relates to risk management.

Security is a demanding profession, which is why we must learn from each other's experience and support each other, which makes it important that you join industry groups and attend conferences and workshops.

Looking ahead, what major cybersecurity challenges do you anticipate organizations will face in the next few years? How can security leaders prepare their teams and strategies to stay ahead of these emerging threats?

Phishing, which remains one of the largest attack vectors, will become even more dangerous as AI enables cybercriminals to automate and personalize attacks at scale. AI-enhanced phishing leverages social engineering techniques, with attackers using OSINT to scrape publicly available data, enabling them to craft highly convincing impersonations to fool even the most cautious recipient. With AI driving malicious activities, the frequency and complexity of threats will surge, making it increasingly difficult for traditional security measures to keep pace.

To stay ahead of these emerging threats, CISOs must adopt a proactive and adaptive strategy that evolves alongside the threat landscape. This begins with the continuous education of employees about the latest cybersecurity trends, including emerging social engineering tactics, phishing techniques, and other evolving attack methods. Cultivating a culture of cybersecurity awareness across all levels of the organization ensures that everyone—from entry-level employees to executive leadership—plays a role in safeguarding sensitive data.

In addition to education, leveraging intelligent technologies such as AI-powered tools is essential for identifying and neutralizing zero-day attacks and other hidden vulnerabilities before they can be exploited. These tools provide real-time monitoring and automated responses, helping organizations stay agile in the face of new threats. They can also help assist security analysts in sifting through large datasets to rapidly provide insights and reduce toil in the role.

Building and testing a robust incident response plan is equally critical, ensuring teams are prepared to act swiftly in the event of a breach. Regularly updating security policies, reviewing access controls, and conducting simulated attack exercises will further enhance an organization’s ability to anticipate, withstand, and recover from sophisticated cyber threats. By combining education, technology, and preparedness, organizations can remain resilient and stay one step ahead of attackers.

Last, but most importantly, retaining employees and their knowledge is critical to the ongoing success of the security function, underpinning all the initiatives mentioned above (and more!).

A CISO must navigate business decisions like M&As, align security with business goals, and leverage proactive security tools. Unlock the strategies for a smooth transition into your new CISO role with Your First 90 Days - A CISO Transition Guide, an essential resource from Hadrian.