“Cloud security complexity has exploded,” says Leo Cunningham, Chief Information Security Officer at Owkin.
Cybersecurity professionals face one of the most challenging jobs in modern businesses, dealing with a constantly evolving threat landscape. Cybersecurity professionals must find ways to effectively navigate challenges and obstacles to get their security posture to where it needs to be. Achieving this goal requires strategic vision and the ability to balance business enablement with risk management.
In this series we will be interviewing cybersecurity professionals from a wide range of backgrounds, industries, and experiences to bring you their unique insights into cybersecurity today, what challenges they are facing currently and expect to face in the near future, the realities of what it takes to defending complex global environments, and what advice they would offer to other CISOs and cybersecurity professionals.
I spoke to Leo Cunningham, the Chief Information Security Officer at Owkin, a AI Biotech company that aims to identify new treatments, optimize clinical trials, and develop AI diagnostics. Leo is a distinguished CISO and technology leader with over 20 years of experience driving enterprise security and technology strategy across blue-chip companies, unicorns, and high-growth organisations. His expertise spans cybersecurity, AI safety, cloud security, and regulatory compliance across multiple sectors, including HealthTech, AI, FinTech, Banking, SaaS, and E-commerce.
What cybersecurity challenges do your team deal with on a day-to-day basis?
Our daily focus centres on three core areas: threat detection and response, compliance management, and security enablement. We’re constantly monitoring security alerts and investigating potential incidents, while also ensuring we meet regulatory requirements across multiple frameworks. But what sets us apart is our role as security enablers – we work closely with teams across AI, data science, legal, and privacy to help them innovate securely rather than slowing them down. It’s about finding that sweet spot where security becomes a competitive advantage, not a roadblock.
How have the challenges you deal with evolved in the last few years?
Cloud security complexity has exploded, but so have the tools to manage it. Three years ago, we were manually hunting for misconfigurations and vulnerabilities across our cloud infrastructure. Today, platforms like Cloud Security Posture Management (CSPM) and Cloud-Native Application Protection (CNAPP) not only identify exposures but also provide one-click remediation for many issues. The automation revolution has been game-changing – we can now address risks in minutes that used to take days or weeks to resolve manually.
How have you set your team up for success dealing with these challenges?
I built our approach around four pillars: First, we create dedicated time for experimentation – about 20% of our capacity goes to testing new tools and approaches. Second, we foster a growth mindset where team members are encouraged to challenge the status quo and raise the bar continuously. Third, we’re obsessive about communication – every initiative comes with clear data showing the ‘why’ behind our decisions. Finally, we treat security like a lab – everything is an experiment that we measure and optimise.
What technologies, partners and vendors help you when dealing with these challenges?
We’ve built our stack around three foundational platforms. For compliance and risk management, Vanta has been transformative – we’ve achieved 100% audit success rates since implementation. For cloud security, Wiz has become our single pane of glass for all infrastructure security, giving us visibility we never had before. For endpoint protection, CrowdStrike provides the real-time threat detection and response capabilities that are essential in today’s threat landscape. Each tool was chosen not just for functionality, but for how well it integrates and reduces our operational overhead.
How do you evaluate new vendors in the cybersecurity space?
We follow a three-phase approach: exploration, validation, and architectural review. We start with team expertise and peer feedback to create a shortlist. Then we run proof-of-concept testing to validate technical capabilities, followed by proof-of-value assessment to quantify business impact. Finally, we document everything in architectural design records that clearly demonstrate ROI and integration requirements. This process has helped us avoid vendor sprawl and ensure every tool we adopt truly adds value.
How do you balance security with business agility?
Our mantra is simple: we’re business enablers, not business blockers. We embed security thinking early in business initiatives rather than being the team that says ‘no’ at the end. When trade-offs are necessary, we present multiple options with clear risk profiles, letting business leaders make informed decisions. For example, when a team needs to move fast on a new product launch, we might recommend enhanced monitoring and logging as a compensating control while they implement more robust security measures post-launch.
What’s one underappreciated security control or practice you believe more organisations should adopt?
Security metrics and measurement. Most security teams struggle to demonstrate their value because they don’t measure the right things. You should be tracking both defensive metrics – like ‘we spend $X to protect $Y in assets’ – and offensive intelligence, such as ‘here’s how attackers view our organisation and why we’re a target.’ We also measure training effectiveness: ‘We trained X employees, which reduced phishing susceptibility by Y%.’ These metrics transform security from a cost centre into a measurable business function that leadership can understand and support.
What impact do you see new technologies like AI have on your day-to-day, if any? Do you see AI having a long-term impact?
AI has already revolutionised how we handle data analysis and task automation. We’re processing massive security datasets that would be impossible to analyse manually, and AI helps us identify patterns and anomalies at scale. The long-term impact will be profound – AI will become as foundational to security as firewalls are today. However, AI safety and governance will create new compliance challenges that will likely fall to security teams to manage. We’re already preparing for this by developing AI risk frameworks and governance processes now, rather than waiting for regulations to catch up.
What advice would you give to fellow CISOs /industry practitioners?
Communication is absolutely essential for keeping the business up to date with all things security. It might sound obvious, but we tend to get bogged down with building functions or implementing tools, and then people wonder what we’ve been doing the whole time.
Backing everything up with data will also support your decisions. Get feedback on metrics and do they make sense in the context of your company. Are they relatable, meaningful and impactful?
Remember to focus on mental health and a support structure to help you when things aren’t going to plan. We have an amazing community out there, use it!
Subscribe to Expert Insights to make sure you don’t miss the next installment in our series of CISO Q&As.
Why not read further insights from other CISOs:
