CyberTech Top Voice Interview: Ishpreet Singh, CIO, Black Duck

Hello, CyberTech community. Welcome to part #23 episode of the CyberTech Top Voice interview series with Ishpreet Singh, CIO, Black Duck.

In this edition of the CyberTechnology Top Voice Interview Series, we sit down with Ishpreet, a seasoned CIO and CISO, to discuss his leadership in cybersecurity, compliance, and cloud modernization. He shares his most memorable accomplishment—launching a FedRAMP High Compliance Program—and provides insights on the evolving relationship between CIOs and CISOs. We also explore the challenges of managing security in hybrid cloud environments and the future of AI-generated code. His expertise offers valuable takeaways for organizations balancing security, innovation, and regulatory demands.

Hi Ishpreet, welcome to the CyberTechnology Top Voice Interview Series. Please tell us about your most memorable CIO moment. Why did you choose this for our audience?

I’d have to say that launching a FedRAMP High Compliance Program for a publicly traded company was a very memorable accomplishment for me as a CIO. 

In today’s landscape, public sector clients and highly regulated industries require robust security measures that meet stringent federal standards. As the CIO of a publicly traded company, I led the launch of a FedRAMP High Compliance Program to secure sensitive data, elevate our security posture, and enable access to high-value federal contracts. This achievement represented a significant milestone in the company’s history, as it enhanced our cyber resilience and facilitated business growth.

FedRAMP High is considered a comprehensive standard for cloud security, requiring over 400 security controls spanning access management, data protection, incident response, and continuous monitoring. Achieving compliance involves a complex, multi-year process entailing technical upgrades, process improvements, and organization-wide cultural shifts toward cybersecurity maturity. This effort required close coordination across IT, legal, compliance, and external auditors, ensuring the program aligned with federal standards while minimizing operational disruption.

This initiative was not just a compliance project but a significant transformation that reshaped the company’s approach to cybersecurity and operational excellence. The experience deepened my ability to lead cross-functional teams, manage complex regulatory frameworks, and align business objectives with security imperatives. It prepared the organization to sustain long-term security excellence while remaining agile in an ever-changing threat landscape. 

By achieving FedRAMP High certification, we demonstrated that robust cybersecurity can support both revenue growth and trust with key stakeholders. This accomplishment positions me to lead similar initiatives at organizations focused on security, innovation, and market leadership.

Our most popular question: CIO versus CISO –who owns the overall control of the enterprise security and information management systems? How do you define the two titles at Black Duck?

In today’s digital-first world, the relationship between the Chief Information Officer (CIO) and Chief Information Security Officer (CISO) is critical for balancing innovation with security. The CIO and CISO bring distinct yet complementary expertise to the table: 

• The CIO is the enabler driving technology strategy, ensuring IT infrastructure aligns with the business objectives and delivers operational efficiencies. 
• The CISO is the expert policymaker responsible for creating, enforcing, and maintaining policies that protect the organization from cyber threats and ensure compliance with regulatory requirements. 

The key to success is a collaborative partnership where both roles work hand in hand to integrate real-world collaboration. At Black Duck, I lead both functions—overseeing IT strategy as the CIO and guiding security as the CISO—giving me a comprehensive view of the interconnected relationship between operations and cybersecurity. This dual responsibility allows me to: 

• Seamlessly integrate security within our technology initiatives rather than treating it as a separate, reactive function
• Foster cross-functional alignment between IT and security teams, leading to faster decision-making and a more proactive approach to risk management
• Implement shared metrics that track both technology performance and security effectiveness, ensuring that both goals support one another
• Enable my team to secure our digital infrastructure without compromising business agility

My experience leading both roles has shown me that security and technology cannot operate in silos. By fostering a collaborative environment, organizations can achieve their strategic objectives without compromising their cyber resilience. This approach not only strengthens the company’s security posture but also drives business growth by instilling confidence in stakeholders, customers, and regulators alike.

You have led IT Ops and Cloud modernization strategies for leading organizations. Could you tell us the most challenging part of managing security and compliance in hybrid setups? 

In my experience, I’ve observed that managing security and compliance in hybrid cloud environments often comes down to balancing business agility with regulatory control.  

Hybrid models introduce complexity by blending legacy systems with cloud-native services, each with different security requirements, levels of visibility, and operational models. This complexity creates challenges in governance, accountability, and resource allocation. 

The most common challenges I’ve encountered include: 

1. Policy fragmentation: Different environments may follow separate security and compliance frameworks. 
2. Operational silos: Cloud and IT ops teams often have different priorities, leading to misaligned workflows. 
3. Visibility gaps: Disparate tools and systems create blind spots that hinder effective incident response. 
4. Increased compliance burden: Hybrid setups require more documentation and cross-team coordination, slowing audits. 

The key to addressing these challenges is fostering alignment between security and operations while leveraging automation and unified governance to maintain control without limiting innovation. 

As hybrid environments continue to grow in complexity, effective security and compliance require unifying governance, streamlining processes, and fostering collaboration across teams. By addressing policy fragmentation, enhancing visibility, and bridging operational silos, organizations can create an integrated security posture that supports business agility while meeting regulatory requirements. Investing in automation and alignment can strengthen security and enable teams to achieve faster, more compliant outcomes. 

Recommended CyberTech Interview: CyberTech Top Voice: Interview with ABBYY’s Max Vermeir

Tell us about the future of “AI-generated code.” 

AI-generated code is transforming software development by automating tasks, speeding up time-to-market, and increasing productivity. Tools like GitHub Copilot and OpenAI Codex are making workflows easier. Gartner predicts that by 2026, over 80% of enterprises will use AI-driven development tools, compared to less than 5% in 2023. However, this progress also brings security, compliance, and governance challenges. 

Opportunities with AI-generated code: 

1. Increased productivity: AI tools can suggest snippets, auto-complete functions, and correct errors, which boosts productivity by 30-50%, according to Gartner. 
2. Enhanced code quality: AI improves syntax and optimises algorithms. 
3. Lowered barrier to entry: Non-experts can create basic software components. 

Risks associated with AI-generated code: 

1. Security vulnerabilities: AI-generated code might introduce issues like SQL injection or XSS. 
2. Unvetted dependencies: AI could suggest outdated or vulnerable libraries. 
3. IP Concerns: AI models might reproduce copyrighted code. 
4. Lack of contextual awareness: AI might generate code that doesn’t fit internal policies. 
5. Overreliance on AI: Developers might deploy unreviewed, insecure code. 

Software composition analysis (SCA) tools help mitigate risks by scanning dependencies for vulnerabilities, enforcing licensing policies, and ensuring security standards. By integrating SCA solutions and adopting a “trust-but-verify” approach, organisations can benefit from AI while maintaining security and compliance. With robust governance, continuous monitoring, and secure practices, companies can confidently embrace AI-assisted development. 

How does the concept of “AI-generated code” or AI coding assistants fit into a modern AppSec program, especially for AI LLMs and open source AIOps projects?

AI-generated code, AI assistants, and AIOps (artificial intelligence for IT operations) are transforming how businesses handle software development, IT operations, and open source risks. These technologies foster innovation, reduce costs, and enhance system reliability. 

Looking first at AI-generated code, we’re referring to the use of artificial intelligence to produce computer programs automatically. This technology speeds up application development, generates deployment scripts for cloud infrastructures, and ensures robust application performance with AI-generated test cases. 

Some of the benefits of AI-generated code include: 

• Speeding up application development: Using AI, developers can automate repetitive coding tasks, significantly reducing development time and allowing them to focus on more complex problems. 

• Generating deployment scripts for cloud infrastructures: AI tools can create optimized scripts for deploying applications across various cloud platforms, ensuring seamless integration and adaptation to different environments. 
• Ensuring robust application performance with AI-generated test cases: AI can design comprehensive test scenarios that cover a wide range of use cases, leading to more reliable and resilient applications. 

Recommended CyberTech Interview:  CyberTech Top Voice: Interview with Zimperium’s Krishna Vishnubhotla

For example, a retail company could build a dynamic pricing engine. By leveraging AI-generated code, it can quickly develop an engine to adjust prices dynamically based on market demand, competition, and inventory levels. 

Now, if we look at AI assistants specifically, we’re talking about the ability to provide real-time insights, streamline processes, and offer automation capabilities to optimize workflows. They are essential in enhancing productivity, improving decision-making, and reducing operational overhead. 

Some of the benefits of AI assistants include:

• Providing real-time insights and automating tasks: AI assistants analyze data in real-time to offer actionable insights and automate routine tasks, freeing up human resources for more strategic activities. 
• Optimizing CI/CD pipelines: Continuous integration/continuous deployment (CI/CD) pipelines benefit from AI’s ability to predict potential issues and optimize workflows, resulting in faster and more reliable software releases. 
• Diagnosing issues and initiates resolution workflows: AI systems can detect anomalies, diagnose problems, and initiate corrective actions automatically, minimizing downtime and maintaining system stability. 

For example, an e-commerce platform could scale server capacity during peak times. During high traffic periods, an AI assistant dynamically adjusts server resources to ensure smooth user experiences and prevent site crashes. 

We must also consider AIOps, which encompasses the use of AI to enhance IT operations. It involves predicting system issues, automating workflows, analyzing performance data, and detecting unusual behavior within systems. 

Some benefits of AIOps include:

• Predicting system issues and automates workflows: AI models forecast potential system failures, enabling proactive measures and workflow automation to address these issues before they impact operations. 

• Analyzing performance data to prevent failures: By continuously monitoring and analyzing performance metrics, AI identifies patterns that could lead to system failures, allowing for timely interventions. 
• Detecting unusual behavior in systems: AI algorithms learn normal system behavior and flag any deviations, helping to identify security threats or system malfunctions early. 

For example, a financial services company could detect fraud in real time. AI models analyze transaction patterns to identify and alert for fraudulent activities as they occur, protecting customer assets and company reputation. 

Black Duck® SCA is designed to scan applications for vulnerabilities and compliance issues, particularly concerning open source components. It enhances security, license management, and integration within CI/CD pipelines. 

The benefits of Black Duck SCA include: 

• Scanning applications for vulnerabilities: Black Duck identifies and reports potential security risks in application code, including those stemming from open source libraries and dependencies. 

• Identifying incompatible licenses: The tool ensures that used open source components comply with the organization’s licensing policies, preventing legal issues. 
• Automating vulnerability scanning in CI/CD pipelines: Integrating Black Duck into CI/CD workflows allows continuous scanning and immediate detection of vulnerabilities, ensuring secure and compliant software releases. 

For example, a cloud provider could block insecure configurations. Cloud service providers use Black Duck to identify and remediate insecure configurations, maintaining robust security postures for their clients. 

Additionally, the recent Neural Magic acquisition by Red Hat provides some truly impressive business benefits. What stands out to me most is: 

• Reduced AI infrastructure costs: Traditional AI workloads require high-performance GPUs, which are costly and resource-intensive. Neural Magic enables businesses to run AI models efficiently on existing CPU infrastructure, reducing capital and operational expenses. 

For example, a SaaS company could reduce AI deployment costs by 50% using CPU-optimized Neural Magic solutions for its generative AI chatbot. 

• Accelerated AI adoption: With Neural Magic, enterprises can deploy complex AI workloads faster, lowering barriers to entry for SMEs and resource-constrained industries. 

For example, a midsize logistics firm could deploy route optimization AI models on Red Hat’s hybrid cloud, powered by Neural Magic’s software. 

• Performance optimization for hybrid cloud AI: Neural Magic enhances Red Hat OpenShift’s ability to scale AI applications across hybrid environments, ensuring consistency in performance and reliability. 

For example, a pharmaceutical company could use Red Hat and Neural Magic to deploy AI models globally for clinical trial analysis across private and public clouds. 

• Support for open source innovation: Neural Magic’s contributions to projects like vLLM provide businesses with open source tools to build custom AI solutions, fostering innovation. 

Adopting AI-generated code, AI assistants, AIOps, and tools like Black Duck is essential for modern businesses. These technologies drive efficiency, innovation, and customer satisfaction, allowing companies to focus on value delivery and growth. Businesses that leverage these advanced solutions position themselves competitively in their respective industries, ready to meet the demands of the future. 

In the last 2 years, how has the AppSec industry evolved? Why should AppSec teams read the latest Black Duck BSIMM15 report? 

What’s really fascinating about the “Building Security in Maturity Model” (BSIMM) report is that each report is the result of an ongoing study of the security activities performed by real world organizations. Each year, organizations in different industry verticals use BSIMM to create a software security scorecard for their programs that they then use to inform strategic programmatic improvements. BSIMM15, the latest iteration of the study observed 121 organizations.

Software security is a rapidly changing field, so it’s important to understand what organizations are doing within their own programs to consistently mature based on their industry needs and business objectives. BSIMM’s software security framework comprises four domains: Governance, Intelligence, SSDL Touchpoints, and Deployment, and those domains are composed of 128 measured activities. From an executive perspective, BSIMM activities are valuable perspectives into preventative, detective, corrective, and/or compensating controls implemented into a software security risk management framework. 

Over the past year, we’ve seen secure innovation take center stage. Organizations are grappling with the opportunities along with the risks presented by AI/ML, and with that, they’re contemplating the complexities that come with defining and securing this ever-evolving attack surface. A key trend observed in BSIMM15 is that there was a ~30% increase in organizations engaging research groups to develop novel attack methods. Adversarial testing has also more than doubled since the previous BSIMM report. 

There have also been some notable observations regarding software supply chain security. With self-attestation requirements for selling software to the U.S. government, organizations are increasingly prioritizing activities supporting compliance. In fact, BSIMM15 observes a 22% rise in the number of organizations creating SBOMs for deployed software, and a 67% increase in organizations performing SCA on code repos. 

One longer-term observation that I found particularly interesting was a dramatic decline in security awareness training. In 2008, when the BSIMM study launched, 100% of organizations in BSIMM1 conducted software security awareness training. This rate has steadily declined ever since. In BSIMM15, only 51.2% of organizations are still providing a basic level of security training to their teams, the lowest rate observed to date.

BSIMM15 offers compelling insights. Rather than dictating a set of prescriptive activities, the report observes and quantifies the actual activities carried out by various security programs across many types of organizations. 

If the CIO role was a novel/ TV/ movie character, which one would you pick and why?

Neo, as “The One” in The Matrix, is an exceptional representation of the modern CIO’s responsibilities and challenges—and one of my favorite movie characters. His journey from a skilled hacker (Thomas Anderson) to a leader of humanity against the Matrix’s AI-driven system parallels the transformation of the CIO role in today’s digitally interconnected and AI-powered business world. Here’s an expanded analysis of why Neo is a fitting metaphor for a CIO, and how his traits, challenges, and decisions align with the expectations of the role. 

• Mastering complexity in a digital world: The Matrix is a hyper-complex, AI-controlled system that shapes the lives of billions. Neo’s ability to see beyond its illusion and manipulate it gives him an unparalleled advantage. 

Similarly, the modern CIO must: 

• Understand the complexity of interconnected systems like AI, cloud computing, IoT, and big data
• Navigate dependencies between IT, business operations, and customer needs
• Act as a translator between technical details and business strategy
• AI mastery and innovation: The Matrix is an advanced AI system that simulates an entire reality. Neo’s journey involves understanding its algorithms, rules, and patterns to exploit its weaknesses. 

In the same way, a CIO must: 

• Leverage AI for innovation, such as predictive analytics, generative AI, and automation
• Ensure the ethical use of AI, avoiding biases and misuse while aligning AI-driven solutions with business objectives
• Balance automation with human oversight to create value rather than dependency
• Leadership in a transformational journey: Neo’s role evolves from being a skeptical individual to a leader of the resistance. He inspires others, builds trust, and leads a mission to free humanity. 

This reflects a CIO’s role in: 

• Driving organizational transformation through technology
• Inspiring cross-functional teams to embrace digital tools and processes
• Leading cultural shifts, ensuring employees adapt to changes brought by AI and automation
• Balancing innovation and responsibility: Neo is not only a fighter against the machines but also a moral compass, ensuring the safety of humanity while pushing the boundaries of what’s possible. 

Similarly, a CIO must balance: 

• Driving innovation (e.g., AI, blockchain, machine learning) with the ethical and regulatory implications of adopting these technologies
• Managing risk while exploring new opportunities for growth and operational efficiency
• Ensuring technological advancements align with the organization’s values and long-term strategy
• Adaptability and resilience in crisis: Neo frequently faces unpredictable challenges—Agent Smith, betrayals, and existential threats. He remains adaptable, learning new skills and evolving his capabilities to confront these crises.

A CIO mirrors this resilience when: 

• Responding to cybersecurity threats, data breaches, or major outages
• Managing rapid shifts in technology trends or unexpected business disruptions, such as the COVID-19 pandemic
• Quickly pivoting strategies to address new competitive pressures or regulatory changes
• Building and leading teams: Neo’s success is never achieved in isolation. He relies on a strong team, including Morpheus (mentor), Trinity (partner), and the crew of the Nebuchadnezzar. This teamwork is central to overcoming challenges and achieving his mission. 

Similarly, a CIO must: 

• Foster collaboration between IT, business units, and external partners
• Build diverse, skilled teams that bring technical expertise and innovative thinking
• Empower team members to take ownership and contribute to broader organizational goals

Cybersecurity: battling the agents of the Matrix: The agents in the Matrix represent the system’s enforcers, much like cyber threats in the real world. 

Neo’s battles with them mirror a CIO’s ongoing efforts to protect their organization from: 

• Cyberattacks, such as ransomware, phishing, and DDoS
• Insider threats and vulnerabilities in interconnected systems
• Sophisticated adversaries using AI-driven attacks

In the AI-driven business world, Neo’s combination of visionary thinking, technical mastery, ethical focus, and transformative leadership makes him an ideal metaphor for the CIO role. Just as Neo unlocks the potential of the Matrix, a CIO unlocks the full power of technology to drive growth, efficiency, and success.

What are your predictions for the cyber tech AppSec and AIOps markets in 2025?

The application security (AppSec) and artificial intelligence for IT operations (AIOps) markets are anticipated to undergo substantial growth in 2025, driven by evolving technological landscapes, increasing cyber threats, and the growing complexity of IT ecosystems. 

The global AppSec market is projected to reach approximately $13.64 billion in 2025. The surge in cyberattacks in recent years, including malware, ransomware, and API vulnerabilities, has increased the demand for robust application security solutions. Additionally, with the widespread adoption of cloud services and SaaS applications, organizations need to secure data and applications across hybrid environments. Strict regulatory frameworks like GDPR, HIPAA, and PCI DSS compel businesses to adopt application security measures. 

With the convergence of AppSec and AIOps, we’re witnessing synergies involving security and IT operations, in that AIOps platforms increasingly include security event monitoring and analysis as part of IT operations. AI-driven threat detection is another element as AppSec solutions leverage AIOps methodologies for faster incident response and risk analysis. These synergies are also driving the integration of DevSecOps pipelines. Both markets benefit from closer integration, ensuring applications are built, deployed, and operated securely and efficiently. 

But with benefits also come challenges. One key market challenge is a shortage of skilled professionals to manage advanced AppSec and AIOps solutions. There are also integration challenges. Integrating these technologies into legacy systems can be both complex and costly. Which brings us to cost sensitivity.

Small to midsize businesses may struggle to adopt these solutions due to high initial costs. 

In 2025 and beyond, organizations across industries—such as finance, healthcare, e-commerce, and telecom—will increasingly adopt AppSec and AIOps solutions to address modern challenges. The key focus areas will be scalability, automation, and AI-driven insights, all contributing to a resilient and efficient IT ecosystem. 

Tag a leader in the cybersecurity industry or an influencer you would like to invite to a CyberTech Top Voice interview roundtable discussion:

• Rachal Wilson at Morgan Stanley
•  Jen Easterly, former Director, CISA 

Thank you so much, Ishpreet, for your delightful insights. We look forward to having you again at the CyberTech Top Voice engagements.

Recommended CyberTech Interview: CyberTech Top Voice: Interview with Oasis Security’s Danny Brickman

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com