Q&A: Sysdig CFO On Collaborating with General Counsel and CISO to Build Strong Cybersecurity Front

Written by Teri Robinson | Dec 5, 2025 1:10:29 PM

As AI moves at the speed of light with the potential to both improve and compromise security, it’s all hands on deck. Members of the C-Suite must work in concert to protect their organizations. And CISOs must find ways to cut through the noise of alerts and focus on those vulnerabilities that could compromise their companies’ must valuable assets.

Karen Walker, CFO at Sysdig, brings a unique perspective to cybersecurity, advocating for collaboration between the CFO, General Counsel and CISO to better understand and reduce risk for boards well-versed in cybersecurity. With a degree in accounting from Southern Methodist University, Walker made her way to the Bay Area where she found a natural fit among tech companies. She initially focused on investor relations at companies like PagerDuty and Pandora Media before moving into finance positions.

Q. How is AI changing the role of CISO?

A. Our CISO in residence, Connor Sherman, talks about a dual mandate for CISOs. On the one hand, they need to enable AI adoption for innovation and for productivity. But they also need to do it in a secure way. So, that's the tension of the two things—move with speed, don't be the person that's slowing things down, but the same time do it in a secure way.

Q. That’s a tough balancing act because generative AI, and now agentic AI, got out of the gate before any guardrails were in place. Isn’t that a recipe for disaster?

A. It is zipping along. And that is the tension. Undoubtedly, people will make mistakes. And data security is like the biggest thing that people are worried about—where is my data going and how is it interacting with these large language models? But I think in the grand scheme of things, it’s really a blip. It's a balance and a compromise.

Q. How is that mad rush challenging for DevOps?

A. If you're in a DevOps culture, you're responsible for securing your code, even before it launches its production. So, it's moving and shifting everything further upstream before it can move into production. And this tension we were talking about is something that we hear also from security companies, because sometimes developers are inundated with vulnerabilities. This points to something important—making sure that you have modern tools. If you've adopted the cloud, have you also adopted tools that are modern and purpose built for the cloud?

Q. In the recent 2025 State of Application Security Survey, conducted by TechStudio™, an Energize Marketing® company, and Cypress Data Defense, an alarming number of respondents—62%—admitted to knowingly shipping insecure code. Does that surprise you?

A. That is definitely happening. We've talked with CISOs and security teams that say they cannot keep up and that they're identifying a lot of vulnerabilities, things that don't get resolved. A board member that I know sits on a large number of companies, both public and private, and that's what they're also seeing. That’s one of the things we're so excited about in particular with the agentic AI, because it's taking a piece—runtime knowledge—and going a step further. We can actually see and identify the highest priority things running in production and [determine] if they are exploitable, then piece together a fix that will actually remediate [multiple] items. That’s what people need to know. Otherwise, there is so much and security teams don't know what to do, what to fix.

Q. A lot of CISOs seem to feel that the remediation piece needs to be improved, if not solved, and until that happens are they exposed to liability.

A. That's the thing. This is what makes a lot of people concerned. You have this long list, and if you're not able to resolve all of those,somebody's saying, “Wait, what about these things? Why haven't you addressed these things?”

Q. Doesn’t that sometimes come back to the board, whose members are posing those questions but don’t understand the challenges of security and remediation? As a CFO are you in a unique position to offer help?

A. From a CFO perspective, when I think about helping my own team navigate through other purchases, other software that we buy, I'm always looking for the ROI and the opportunity. Sometimes it comes from helping them negotiate the best deal. Sometimes it's having that person on the other end who’s a partner and really understands what kind of business outcomes we want to drive. And sometimes it's true consolidation, can something do more? Because that creates a lot more leverage. Where we're headed—particularly with agentic AI—is really shifting security from a buy that is just not that measurable. It's preventative.

Q. If traditional metrics don’t easily apply, then how do you measure security’s impact on business?

A. Focus on reducing the number of things that have to be fixed. If you think about translating those numbers into “this would have taken somebody an hour and a half to resolve this one CVE,” then start multiplying it. You’ll get into thousands of hours, and you multiply those labor costs, and those are the types of dollars that you could return to the business. Not everything is cost either; it's also time to market. I think these are all interesting ways to measure. Security tools are moving from just a cost center to a value center. And if you're in a DevOps culture where you're charged with resolving vulnerabilities in your code, that just means those developers get more time for innovation.

Q. What does the workforce need to do to get up to speed for something like agentic AI? How do workers get fluent in it?

A. That's a great question. This actually hits on a point that I'm finding to be very critical, which is how do companies enable their workforce on AI, but also, how do they make investments responsibly? I think you need to think about the outcomes that you're going to drive. What is the ROI, the financial lens? And then, what do you think about from a governance perspective as well? It’s interesting because I think CFOs actually have a unique vantage point and they're already at the center of these things…ROI, risk; working with clients in their day to day.

Q. CFOs used to have a very distinct role, so did tech experts with very little overlap, but has AI compelled collaboration across roles?

A. I think those days are already gone, even before this. AI has really taken off. It’s been two years since the SEC implemented their rules on disclosing cyber incidents if they’re material. You've got Europe with like NIST, too, and DORA. A vast variety of countries are introducing all of these regulations that can protect consumers and investors. And that has already started to change the framework and really make cybersecurity a strategic imperative and a boardroom topic, which has forced more collaboration between the CFO, CISO and General Counsel. So there, again, when you think about General Counsel and CFO, they have already a lot of insight into financial disclosures and process and controls. CISOs certainly have a lot of processing controls as well. But then how does CISO come over and talk to the CFO and the General Counsel about business risk?

Q. Is that synergy even more important necessary since CISOs are under pressure to assume liability for security incidents?

A. Yes, you’re right. On the heels of those rules came the SolarWinds, the suit that the SEC took, and also the first time that they had actually taken action against a CISO, Timothy Brown. That was a panic button for a lot of CISOs. But I think the reality of it is it does elevate their role in the company. And some companies may even have that role reporting to the CEO. I think a lot of companies still have the deep dives on cyber security at the audit committee level because it's very much tied in with financial risk. But it's no longer like “we have five minutes left, let's talk about this topic [cybersecurity]. But I think there is still some room for improvement,

Q. The C-suite, the board and CISOs can't speak separate languages anymore. But do boards understand their companies’ cybersecurity posture?

A. In a study, there was a very large percentage of independent board directors that said, “I don't fully understand my company's cybersecurity strategy.” And that’s a real wake up call.

Q. Do they just not have the necessary cybersecurity chops or have they been inadvertently kept in the dark?

A. I suspect it's a little bit of both. It can be very different if you have people on your board that are already operators. What is their technical background? If you have somebody who's been very far removed from operating a company for some time, they may not actually be as up to speed on the latest technologies. Now these are smart people, so they can learn. But that becomes the key of really putting things into business risk. Just like anything, whether it's cybersecurity, or it's SOX [Sarbanes-Oxley], you're not going to have 100% assurance. You're looking for reasonable assurance. A lot of that comes with a framework that can be put into the context of the business, understanding what the company's greatest assets are and the areas that the company should have the highest level of security, programs and protocols around them. What are some of the things that are perhaps our legacy that they're not necessarily as focused on? They should just understand the environment, particularly if a company is operating in the cloud. Cloud attacks can unfold in 10 minutes or less, because the cloud is very open by nature. So, know the advantages of actually adopting the cloud to like speed, time to market, very scalable, but understand the downside from a cyber security perspective. As a board member, do you understand all this context? I think it's doable.

View full post