CyberTech Top Voice: Interview with Bugcrowd’s Trey Ford

Hello, CyberTech community. Welcome to our latest conversation of the CyberTech Top Voice interview series.

The latest CyberTech Interview with Bugcrowd’s CISO (Americas) Trey Ford is an interactive Q&A-styled conversation. Trey recently joined Bugcrowd as the Chief Information Security Officer for the Americas, marking a pivotal moment for the company as it expands to a dynamic region. In this interview, our reporters dived into the most common challenges faced by security leaders in the GenAI era. The recent “crisis” in security operations (SecOps) with LLM and GenAI development models has forced security teams to explore new tools and solutions. Bugcrowd AI Bias Assessments provide AI safety to DevSecOps teams, enabling engineering teams to deploy LLM apps confidently and productively.

Join us in shaping the future of cybersecurity with AI and Machine Learning innovations. Learn more about how Bugcrowd can help you achieve your LLM AI Safety goals.

Here’s what Trey had to say about the CISOs and their challenges.

Hi Trey, welcome to the Cybersecurity Top Voice Interview Series.  Please tell us a little bit about your journey in the security industry.

Trey Ford: My journey started in IT in the early 90’s- dial-up modems, bulletin board systems (BBSes), games and viruses. Building machines, upgrading and fixing others, and I found myself doing classic IT helpdesk work. After a stint doing IT consulting work, network migrations, and tech support work through the mortgage boom, I spent more and more of my time battling things like Code Red, Nimda, Sasser, and other worms. I guess I heard my calling to enter the world of security. I came to appreciate the need for best practices, hygiene, and creating safety in those difficult discussions.

Once in a full-time cyber role, I helped build a global security assessment practice, was one of the very first to provide credit card security assessments (under the Visa CISP program, later PCI), spent some time in product management, ran security operations for a gaming company, helped produce events (Black Hat) globally, and then ran security for a massive platform service provider.

One thing I was never able to shake – the challenge of creating safety around, and aligning incentives for vulnerability disclosure…was a unilateral challenge.

As a profession, I believe the highest calling in cybersecurity is to foster safety around challenging conversations. Today, many companies continue to struggle with discussions about risk tradeoffs, effective testing, incident response, disclosures, and more. This is an area where we, as an industry, must continue to make progress if organizations are to effectively address the complex challenges they face daily.

If the CISO role was a novel/TV/ movie character, which one would you pick and why?

Trey: What a fun question—and such a tough one to answer! I think Tom Cruise’s Edge of Tomorrow (2014) offers an interesting parallel. His character, Major William Cage, becomes trapped in a time loop and is repeatedly sent on a suicide mission. Each time he goes into battle, he gains new insights and, much like Groundhog Day, he re-lives the day from the same starting point.

CISOs often get a bad rap for having experienced and worked through incidents – I feel a big part of what you gain when hiring an experienced CISO is that battlefield experience. They’ve experienced a lot of things that allow them to see around corners, almost predicting what happens next. That’s invaluable organizational experience.

Every time a CISO starts a new job, they’re bringing extremely valuable experience, perspective, and expensive lessons forward with them. In a collective sense, the CISO community has a lot of shared knowledge and experiences that won’t be learned in an academic setting – so much of it must be learned.

What is your favorite cybersecurity technology or solution and why? How do users benefit from using this technology?

Trey: 

Right now, I believe that it might be Apple’s Secure Element. It brought strong multi-factor authentication (MFA) to the masses, provided a strong chain of security foundations to an elegant user experience. It has enabled a passwordless path and continual strong re-authentication to the general public, something that has only been possible in the most stringent enterprise environments.

You have been part of the SecOps teams in some of the biggest organizations. What key lessons have you learned in your different roles?

Trey: The importance of psychological safety and incentive alignment. Vulnerability scanning identifies a negative score – folks are either unable, unwilling, or otherwise prevented from patching and hardening systems. Application security testing highlights all kinds of defects that are usually received as a judgment of them personally or their work quality. What a horrible thing to put people through!

Strangely – things get worse when automated tooling and human-powered testing processes miss things later found once software has shipped. Not only do we have misses in design and build, we have embarrassing misses in testing based on tooling investments and human failures.

All businesses and teams operate with constraints – time to market, time allocated for research and development, time for maintenance – all of which are competition against the outcomes that incentivize leadership.

Outcomes are what matter – making conversations safe, and finding ways to incentivize alignment for those building, testing, maintaining, and defending technology – is of the utmost importance.

According to reports, CISOs face unprecedented challenges in their roles and responsibilities in the GenAI era. How do you cope with the challenges?

Trey: Security was historically the “department of no” – and we found that companies culturally rejected this default posture. The business-aligned concept of “what and how” to achieve the outcomes is what we’re after. The most successful CISOs are partnering with the business to harmonize two things – the use cases for value creation in the business engaging GenAI, and pulling in data governance to understand and guide what data will be in scope, or impacted by these new value drivers.

It is inevitable that there will be visibility gaps that must be addressed, and the industry is moving fast to provide tooling capabilities to raise monitoring and auditing capabilities created by GenAI adoption.

In Bugcrowd’s recent Inside the Mind of a CISO report, which surveyed 209 security leaders globally, findings revealed a significant shift in workforce dynamics. While many organizations plan to hire, 70% indicated plans to reduce security team headcount within the next five years due to the adoption of AI technologies. Moreover, over 90% of respondents believe that AI either already outperforms security professionals or will surpass their capabilities soon. However, AI’s impact isn’t seen as purely beneficial; 58% expressed concerns that the risks associated with AI could outweigh its potential advantages.

In the last two years, how has the cyber security and SecOps industry evolved? 

Trey: I think the biggest disruption radiates from superscalars removing the moat from the major logging and monitoring platforms. Major SIEM providers charged on consumption models, and customers spent heavily to move, process, and store data in those platforms. Now that Google, Microsoft, and AWS have built in log collection and analysis capabilities – there are viable options for cloud-local storage and analysis. You’ve also seen disruptive motion from players like Cribl creating a rosetta stone-class capability to de-duplicate and analyze information in real-time and address both back-pressure (log flow issues), and cross-platform analysis. Storage and processing are getting cheaper and more ubiquitous.

Our most popular question: CIO versus CISO –who owns the overall control of the enterprise security and information management systems? How do you define the two titles at Bugcrowd?

Trey: I’m seeing a major consolidation in this space. CISOs have been playing catch-up with the CIO’s office from a C-suite involvement perspective. CIOs of yester-year saw extremely large teams managing back office infrastructure, hardware in data centers, patching, fleets, and storage – where SaaS, PaaS, and IaaS have downsized those teams.

An increasing majority of business, compliance, and hygiene drivers for the IT office are now flowing from the cybersecurity side of the house, for compliance, currency, and resilience mandates. As such, we’re seeing the integration of the CIO and CISO capability, where we need technology to be inherently secure. At Bugcrowd, we’ve got a global Chief Information and Security Officer (CI&SO) who owns both security and IT. 

Given that humans are often the weakest link in cybersecurity and that cybercriminals frequently target browsers to exploit vulnerabilities and steal sensitive data, what measures can organizations take to strengthen their defenses against these threats?

Trey: We need to view attack patterns through an economic lens. Defensive strategy is the responsive side of an arms race, and these efforts are designed to raise the cost of attack and limit the population of attackers willing to spend for modern tooling and exploit payloads to successfully compromise endpoints.

Obviously, endpoint hygiene and security matter – keeping systems patched, hardened, and monitored with modern endpoint detection and response (EDR) technologies is important. 

We also need to deconstruct the natural assumption that an account is a human actor. Access should be temporary as much as possible, and access to sensitive systems and data need to be provided on an as-needed basis. The use of modern single sign-on (SSO), strong and efficient multi-factor authentication (MFA), and just-in-time (JIT) access through privileged account management (PAM) are our best shot at minimizing how much access is available through a compromised account or endpoint.

Recommended CyberTech Interview: Fintech’s Digital Fortress Under Attack: Cybersecurity Challenges in 2025

What risks do unsecured enterprise IT and data assets pose to organizations and individuals?

Trey: Starting off pragmatically – risk in the enterprise context is defined as a loss scenario. So the question of what loss scenarios so unsecured enterprise IT and data assets pose to organizations and individuals is highly context-dependent.

Answering some key questions can help inform how the impact of those loss scenarios will be felt:

• What kind of access do those assets have to sensitive data? 
• Are they critical systems? 
• Can the business operate without them? 
• What kinds of access or interaction is available to these systems? 
• What would be required for those compromised systems to increase their scope of access to additional systems or data? 

The impact on you (personally) or your organization (and its customers and partners) will vary widely depending on questions like those above.

Again, viewing the decision to invest in – or neglect – controls on systems or environments must be treated as an economic decision. Hopefully, the unsecured assets in your environments are canaries in the coalmine – designed to alert teams to malice.

What are your key predictions for the cybersecurity market in 2025?

Trey: Many of the CISOs that I’m hearing from daily share that budgets are generally still going up for security initiatives. Even after zero-basis budget reviews, I believe that the trend of outsourcing and crowdsourcing security capabilities will continue to increase. Blue-Team capabilities (like SOC and MDR) will continue to be increasingly outsourced, as are Red-Team capabilities (penetration testing, assessment, and SDL/Bug Bounty programs) will continue seeing the diversity of expertise better informing program outcomes.

With ransomware continuing as an active threat, I see foundational controls continuing to improve, and insurance premiums continuing to fall.

I also expect to see the trend of CISOs picking up the responsibilities of the Enterprise IT organization.

Tag a leader in the cybersecurity industry or an influencer you would like to invite to a CyberTech Top Voice interview roundtable discussion: 

Trey: Jeff Simon, SVP, Chief Security Officer, T-Mobile

Thank you Trey for sharing your insights with CyberTech Insights! We look forward to having you again.

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com