Boards now expect Chief Information Security Officers to shape business decisions, not just block threats. For Riaz Lakhani, Senior Vice President and CISO of Barracuda Networks, that shift demands rethinking outdated playbooks, confronting the risks hidden in SaaS supply chains, and tackling the organisational habits behind tool sprawl.
In this interview with Frontier Enterprise, Lakhani discusses the pressures redefining the CISO role, from compliance gaps to global regulations, and why the job now extends deep into business strategy.
Which parts of the CISO playbook are now outdated?
A lot of what we did five years ago, such as quarterly access reviews or scheduled vulnerability scans, is no longer adequate. Threats don’t wait for the next review cycle; they’re constant and continually evolving. So, the old playbook of periodic checks and static controls feels outdated in today’s environment.
Boards now expect CISOs to serve as more than just defenders. They want risk advisors who can connect security measures to business outcomes. This requires earlier involvement in the process: in product planning, vendor selection, mergers and acquisitions, and go-to-market strategies. The role is not only about responding to threats, but also about influencing decisions that reduce risk before it emerges.
Security is also increasingly recognised as a trust signal rather than solely a cost centre. When we show customers that we take their data and their business seriously, it can be a competitive advantage. I’ve seen deals move faster because we could demonstrate strong security practices, which reassured stakeholders that their data would be handled with care and protection.
That shift from gatekeeper to business enabler is where the modern CISO should focus.
How has the rise of third-party SaaS reshaped vulnerability management?
The traditional perimeter-based model of vulnerability management has been disrupted by the rapid growth of SaaS integrations. Organisations are no longer only managing their own security posture, they are also inheriting the risk profiles of every third-party vendor and integration they use. Each SaaS application, particularly those with open marketplaces and API ecosystems, can serve as a potential entry point for attackers.
This interconnected environment means a security program is only as strong as the weakest link in the SaaS supply chain. Shadow IT can increase this risk, as business units can deploy apps with nothing more than a credit card, often without security or legal teams’ oversight. The result is a sprawling, constantly changing attack surface that goes beyond the scope of what traditional vulnerability scanners were designed to handle.
Where’s the disconnect between passing an audit and being ready for a breach?
The biggest disconnect is assuming compliance equals security: it doesn’t. You can have all the certifications and still be open to attacks. Threat actors don’t care about your audit reports. If your admins don’t have MFA and their credentials are floating around on the dark web, you’re still a juicy target.
However, compliance can be useful when done right. Many breaches stem from basic control failures such as missing or poorly implemented MFA and poor password hygiene. These are the kinds of issues that a well-executed compliance program can help identify. It also gives security teams leverage to say, “This isn’t just best practice; it’s a requirement.”
So, while compliance won’t catch every exploitable gap, it’s a great starting point. It builds trust with customers, helps justify budget, and gives security teams a framework to push for the fundamentals. If we treat compliance as a floor and not a ceiling, it can be a strategic partner in building real resilience.
What habits keep enterprises stuck with complex, fragile security stacks?
Tool sprawl is rarely the result of one bad decision. More often, it comes from a series of well-intentioned ones. Teams move quickly, threats evolve fast, and sometimes the simplest option is to buy a new tool that solves a specific problem. It might be to close a gap, meet a deadline, or respond to an incident. Before you know it, another layer has been added to an already complex stack.
Over time, that approach creates fragility. Tools overlap, integrations break, and it becomes unclear what is being used or by whom. This is not always due to carelessness; it often stems from a lack of shared visibility or from teams working to different priorities and timelines. Security, IT, and engineering may be addressing the same risks, but from different angles.
Underutilisation is another factor. Organisations sometimes don’t realise the full capabilities of the tools they already have, or they lack the time and resources to operationalise them effectively. This can result in shelfware, duplication, and frustration.
While procurement decisions play a role, the deeper issue is coordination. Fixing it requires better communication, shared ownership, and a more deliberate approach to architecture.
What new responsibilities will CISOs need to prepare for?
Three areas stand out: data security and trust, global regulatory changes, and cyber resilience in a SaaS-first environment.
With AI systems increasingly reliant on enterprise data, CISOs must ensure that data pipelines are secure, well-governed, and protected from poisoning or leakage. The EchoLeak vulnerability is a clear example of how AI can amplify risk if it isn’t properly secured.
Frameworks like DORA, NIS2, and the Cyber Resilience Act are also raising the bar for security accountability. CISOs will have to navigate a patchwork of global regulations, each with its own reporting timelines, breach thresholds, and enforcement measures.
As every vendor becomes part of your security ecosystem, CISOs will need to create playbooks for SaaS continuity, vendor compromise scenarios, and integration risk modelling.
