Cybersecurity leadership today looks very different from what it did a decade ago. As organizations accelerate digital transformation, the role of the Chief Information Security Officer (CISO) has expanded far beyond protecting systems. Today’s security leaders are expected to balance cyber risk management, business priorities, and regulatory demands—often across multiple industries and global markets.
Hannah Suarez represents this evolving generation of cybersecurity leaders. As the CISO at Loyalty Status and the owner of Superuser OÜ and Citadel Byte Information Technology, she brings a rare blend of enterprise security experience and startup agility. Having worked across several industries—including telecommunications, aviation, and software startups—and across multiple international markets, Hannah understands that effective cyber risk management is not just about compliance frameworks. It starts with understanding the business, the technology behind it, and the risks that come with rapid innovation.
As part of The Cyber Express’ Women in Cybersecurity series, we are dedicating the month of March to conversations with women shaping the future of cybersecurity. Throughout the month, we will be featuring interviews with security leaders from across the world who are driving change in areas such as cyber risk management, cloud security, governance, and leadership.
In this conversation, Hannah shares her perspective on navigating cloud security responsibilities, avoiding compliance fatigue across multiple cybersecurity frameworks, and why supply chain vulnerabilities remain one of the most urgent challenges for organizations today.
Below is the full conversation with Hannah Suarez.
Cyber Risk Management Insights from CISO Hannah Suarez
TCE: You have led cybersecurity and compliance programs across multiple industries, including telecommunications, aviation, and software startups. How does the approach to cyber risk management differ between fast-growing startups and more established enterprises?
Hannah: One of the key, obvious, differentiators is the approach to risk. Startups willing to absorb or delay risk treatment in favor of risk acceptance to grow is one example. Also, even if this is the approach for a startup that has to show itself as secure to enterprise, you can still wrap it in an ISO framework and have it in the ISMS so there is an actual approach.
TCE: With organizations increasingly adopting cloud-first strategies, what are the most common cloud security gaps you observe today, and how can CISOs address them proactively?
Hannah: First is to differentiate exactly what model is this when it comes to ownership and operations. For example, you onboard a new application which is on cloud (such as Salesforce) and from there determine if there is compliance responsibility by the operator or if it is entirely on the company. Or, we could be referencing to operating a software that is managed by an operator on cloud (AWS, GCP, Azure). Or we could be talking about private cloud hosted instead.
From there on, the layers become complex as you try to determine responsibility and ownership. Which components are going to be shared responsibility to operate, which components are not, and so on.
Therefore, I find that a lot of time gets invested in trying to understand the solution first and why the business is heading into that direction by talking to the relevant stakeholders. I could really go on in more detail about cloud security in third party management, but the overall basis is who owns and who is responsible.
TCE: You have worked extensively with frameworks such as ISO, NIST, CIS, SOC, and SOX. How should organizations prioritize these frameworks without creating compliance fatigue?
Hannah: The problem is being framework-only. For example, why would one cite a NIST guideline from their cybersecurity framework if this isn’t relevant in the ISMS? So the challenge is to try to come back to the business first and then from there determine what should be prioritized. Coming back to the business involves applying risk management, since you also have to understand the responsibility of implementing and owning the risk.
It doesn’t mean that you are limited to just one framework only – i.e only follow ISO, or only follow NIST, etc. I did an exercise of going through multiple guidelines and frameworks to see what the information is on supply chain management lifecycle on a holistic view, then went into the detailed for specific components of it (onboarding, offloading, etc) that is more suitable to the current business process.
TCE: From your experience presenting to boards and executive teams, how can cybersecurity leaders better translate technical risks into business impact?
Hannah: You differentiate who is responsible, is it the business owner, the system owner, the risk owner, the contract owner. And adjust.
TCE: Having worked across diverse global markets, how do regional regulatory environments influence cybersecurity strategy and risk governance?
Hannah: It is dependent on recognising ownership of what applicable laws and regulations apply within the entire data flow or process flow. Therefore I start on the contractual component and work my way to how it is impacting the ISMS and then applying the ISMS.
TCE: As cyber threats continue to evolve, which emerging risk areas—such as AI-driven attacks or supply chain vulnerabilities—do you believe organizations should prepare for most urgently?
Hannah: Something that is a thorn for organizations that has undergone massive digital transformation is supply chain vulnerabilities. Addressing this is going to be at the core of addressing the more specialized topics, like AI-driven attacks.
For example, you onboard new suppliers for a process that is required to use and store highly regulated commercial data, or highly sensitive data (such as, biometrics like voice analysis). This new system then announces their intention to use data for their AI models. What next?
TCE: You have a strong background in building security maturity for organizations. What are the first three practical steps companies should take to strengthen their security posture in 2026?
Hannah: Have executive management involvement across the business. Understand the business and why it is going in a certain direction like my answer previously on frameworks. Understand the components (vendors, suppliers, operators) that make up the business (like my answer previously on cloud).
TCE: As someone with an entrepreneurial mindset and experience across startups, how can cybersecurity enable business growth rather than being seen only as a compliance requirement?
Hannah: For startups, one of the issues that they face is building trust with enterprises. And compliance programs (be it ISO 27001, data protection management programs, etc) are important to establish this. Not just for the objective third party view from an auditor, but also for the day to day running of the business.
A lot of the enablement, without things devolving into some compliance checkbox, is for the startup to learn more about risk management – not just thje TARA framework (Transfer, Accept, Reduce, Avoid) but to also get to ways that they don’t seek permission to do risk analysis, all the time. For this, it is risk exploitation which is to be able to seize opportunities first, then working on the TARA method later. It is more like the saying “ask for forgiveness later” in which the later part is to conduct the risk analysis later. Or the other way of saying is to accept first, then analyse later.
TCE: On the occasion of International Women’s Day, what key actions can organizations take to create more inclusive and supportive environments for women in cybersecurity?
Hannah: Community is very important. As someone who has moved in several countries (with the UAE as my seventh), one of the things that you do is to find ways to try to ground yourself in a new community. This was very much evident in the UAE through initiatives for women in cyber security, and also being in other groups for women in technology that I am a part of for the wider GCC area. Organizations can choose to take part in more of these initiatives, or at least encourage and empower their employees to participate.
TCE: What advice would you offer to young women aspiring to build leadership careers in cybersecurity, particularly in areas like risk management and compliance?
Hannah: In the beginning, I was working as a system administrator for a software company. We had customers that needed to configure specific components to make it compliant (such as, using FIPS cryptographic modules). In the end, I ended up learning more about these frameworks.
When I pivoted more towards auditing and implementing ISMS for enterprises and organizations, the focus was less on the technical and being super specialized in it, and more on the business side and finding ways to get the business to reach and maintain compliance.
Having background in the two, I find, has been a valuable perspective to work in this area.
Conclusion
Hannah Suarez’s perspective is a reminder that cyber risk management is not just about frameworks or compliance checklists. At its core, it is about understanding how a business operates, who owns the risk, and how security decisions affect the organization as a whole.
From navigating cloud security responsibilities to addressing growing supply chain vulnerabilities, Hannah emphasizes that security leaders must first understand the direction of the business before building controls around it. Only then can cybersecurity move beyond enforcement and become part of how organizations operate and grow.
Her journey also highlights the importance of community and mentorship, particularly for women in cybersecurity who are building leadership roles across the industry.
As organizations continue to evolve digitally, the challenge for CISOs will be balancing innovation with responsible cyber risk management. As Hannah suggests throughout this conversation, the starting point remains simple: understand the business, understand the risk, and build security programs that support both.
