9 Product Security Leaders You Should Be Following Already

Everyone talks about product security, but few actually lead it well. As software supply chains stretch across continents and AI pushes code into production faster than humans can review it, leadership (not tooling) is what separates teams that survive from those that stumble.

Strong product security leaders shape how engineering, compliance, and business strategy move together. They turn secure design into a competitive advantage and make sure security keeps up with delivery velocity instead of the other way around.

Table of Contents

1. Deneen DeFiore
2. Noopur Davis
3. Jamil Farshchi
4. Roland Costea
5. Teresa Zielinski
6. Patrick Opet
7. Rich Agostino
8. Praveen Vijay Gopal
9. Devon Bryan

Deneen DeFiore

(LinkedIn)

When you’re responsible for securing a global airline, every decision has real consequences. Deneen DeFiore operates in one of the most complex security environments anywhere, where digital systems, physical infrastructure, and regulatory oversight all intersect. As VP and Global CISO at United Airlines, she’s protecting people, operations, and critical infrastructure.

Bridging cyber, engineering, and national resilience

Bridging cyber, engineering, and national resilience

DeFiore’s leadership stands out because she treats product security as a system. In aviation, the software that runs aircraft systems, passenger platforms, and logistics must be reliable under every condition. She connects cybersecurity with engineering and operational continuity, ensuring that resilience is designed into every layer.

Her impact goes beyond the enterprise. As a member of the National Infrastructure Advisory Council, she helps shape national cyber risk strategy across critical sectors. Her perspective on aviation security gives her unique insight into how regulation, technology, and real-world risk intersect.

DeFiore is also a visible and consistent voice in the community. Through her board role at Blackbaud, regular keynote appearances, and public engagement, she drives a broader conversation on what effective product security leadership looks like at scale.

Key achievements

• Board member at Blackbaud
• Member of the National Infrastructure Advisory Council
• Named a “Top CISO to Watch”
• Regular keynote speaker at aviation and security industry events

DeFiore shows what mature product security leadership looks like in practice: grounded in technical rigor, operational awareness, and a clear understanding of how cyber risk translates into business risk.

Noopur Davis

(LinkedIn)

Telecom and media companies sit at the center of how the world connects. That means every outage, every breach, and every misstep has an impact far beyond the organization. Noopur Davis, Executive Vice President and CISO at Comcast, leads security at that scale. Her work spans billions of customer interactions, massive content delivery systems, and complex cloud-native networks that keep businesses and consumers connected every day.

Turning security strategy into enterprise discipline

Davis’s leadership is rooted in operational depth. She has built programs that align security with business growth, ensuring controls scale as the company expands its digital footprint. Her team manages threats across both consumer-facing and enterprise systems, integrating telemetry, automation, and policy enforcement into an infrastructure that processes vast amounts of data in real time.

She approaches security as an enterprise discipline. Her ability to bridge executive priorities with technical implementation has made her one of the most visible and respected CISOs in the industry. Davis is known for communicating complex security concepts in language that resonates with boards, regulators, and engineers alike. That skill allows her to drive meaningful accountability across the organization while keeping security aligned with delivery and performance goals.

A recognized voice in cyber leadership

Beyond Comcast, Davis is an active voice shaping national cybersecurity priorities. As a member of the U.S. Cybersecurity Group at Aspen Digital, she contributes to discussions that influence policy, collaboration, and workforce readiness across industries. Her tenure as CISO of Fannie Mae and her frequent presence on conference stages give her credibility in both regulatory and technical circles.

Key achievements

• Executive Vice President and CISO, Comcast
• Former CISO of Fannie Mae
• Member of the U.S. Cybersecurity Group at Aspen Digital
• Named among the Top 100 Executive Women in Tech
• Frequent speaker at major cybersecurity and technology conferences

Davis represents what mature security leadership looks like in a connected world: clear strategy, operational precision, and the ability to make security an enterprise-wide strength instead of a reactive function.

Jamil Farshchi

(LinkedIn)

Few security leaders have faced a challenge as public or as consequential as the one Jamil Farshchi took on at Equifax. As Executive Vice President, CISO, and now CTO, he has driven one of the most complete cybersecurity and technology transformations in recent memory. His dual role gives him direct control over both the security strategy and the technical infrastructure that supports it, closing the gap that often slows progress in large enterprises.

Turning crisis into a scalable security model

Farshchi joined Equifax after its 2017 breach, inheriting a complex environment under intense regulatory and public scrutiny. Instead of focusing on damage control, he rebuilt the organization’s security architecture and culture from the foundation up. That included overhauling infrastructure, centralizing governance, and embedding security into product development lifecycles across global teams.

Under his leadership, Equifax implemented a unified cloud strategy, continuous security monitoring, and engineering practices that link code quality directly to risk metrics. His approach turned compliance-driven remediation into measurable resilience, something most organizations struggle to achieve even without the pressure of global oversight.

A technical voice with real-world credibility

Farshchi’s visibility in the security community comes from his willingness to share lessons learned. He is a regular guest on major industry podcasts and has been featured in Forbes, The Wall Street Journal, and leading cybersecurity publications. His insights focus on how CISOs can move from reactive defense to proactive engineering.

Before Equifax, Farshchi held senior security roles at Visa and Los Alamos National Laboratory, experiences that shaped his pragmatic approach to building resilient systems at scale. His seat on the board of UKG further reflects how his perspective on risk and technology now influences executive decision-making across industries.

Key achievements

• Executive Vice President, CISO, and CTO at Equifax
• Led Equifax’s post-2017 breach recovery and security transformation
• Board member at UKG
• Former security leader at Visa and Los Alamos National Laboratory
• Featured in Forbes, The Wall Street Journal, and top industry podcasts

Farshchi’s career shows what happens when security and technology leadership operate as one function: strategic decisions translate directly into secure and scalable engineering outcomes.

Roland Costea

(LinkedIn)

When your products power global businesses, security becomes part of the product itself. Roland Costea understands this better than most. As CISO of SAP Enterprise Cloud Services, he leads security across a massive platform that underpins how thousands of enterprises operate every day. His work influences not just SAP’s internal resilience, but also how its customers design, deploy, and secure their own systems in the cloud.

Aligning cloud transformation with real security outcomes

Costea’s leadership sits at the intersection of cloud engineering, enterprise transformation, and product assurance. He has driven major security uplifts inside SAP’s cloud environments, ensuring that customer workloads benefit from embedded controlss. His focus on automation, telemetry, and shared-responsibility alignment has helped make SAP’s enterprise cloud offerings more transparent and auditable for clients with complex compliance requirements.

Before joining SAP, Costea held leadership roles at Microsoft and IBM, where he worked on global security architecture and cloud adoption frameworks. That background gives him an inside view of how large technology providers approach the balance between scale, innovation, and governance. It also gives him a pragmatic understanding of what enterprise customers actually need from their service providers to stay secure while moving fast.

A visible advocate for practical cloud security

Costea is one of the most accessible voices in enterprise cloud security today. Through regular podcast appearances and talks at global cybersecurity summits, he breaks down the technical and operational realities of securing large-scale platforms. His insights often focus on how to embed product security into development and operations without slowing down the pace of delivery, a recurring challenge for modern cloud businesses.

Key achievements

• CISO, SAP Enterprise Cloud Services
• Led major enterprise cloud security uplift initiatives at SAP
• Former senior roles at Microsoft and IBM
• Frequent speaker and podcast guest on SAP security and cloud transformation

Costea’s work shows what mature product security looks like in the cloud era: deep technical integration, measurable assurance, and a clear link between secure engineering and customer trust.

Teresa Zielinski

(LinkedIn)

Few industries operate under tighter margins for error than power generation. Teresa Zielinski leads security for GE Vernova, the $30B energy spinoff of General Electric, where uptime, safety, and data integrity directly affect how nations function. As Global CISO, she oversees cybersecurity for a portfolio that includes industrial control systems, renewable energy operations, and global data infrastructure - all at enterprise scale.

Building security into complex industrial operations

Zielinski’s leadership stands out because she integrates cybersecurity into areas where many organizations still treat it as external oversight. Her scope covers operational technology (OT), data governance, and M&A security, three of the most technically and politically complex domains in enterprise risk management.

When GE Vernova spun off from General Electric, she led the security separation and rebuild from the ground up. That meant disentangling decades of shared systems, establishing new governance frameworks, and creating independent operational controls without interrupting power delivery or compliance obligations. Managing security during that kind of corporate transformation is as much about engineering precision as policy design, and she delivered it under global scrutiny.

A model for scale, resilience, and real-world risk

Zielinski’s approach links cybersecurity with business continuity and asset performance. Her teams secure critical energy infrastructure that supports both commercial and government operations across continents. That means handling incident response, regulatory coordination, and technology modernization simultaneously across legacy and modernized platforms.

Her experience shows how industrial security can be both pragmatic and forward-looking. She focuses on data-driven risk assessment, secure integration of new digital technologies, and continuous monitoring of systems that cannot afford downtime.

Key achievements

• Vice President and Global CISO, GE Vernova
• Led cybersecurity for GE Vernova’s corporate spinoff and operational transition
• Managed security for assets exceeding $30B in global revenue
• Oversaw power generation and industrial cybersecurity initiatives worldwide

Zielinski’s career reflects what mature product security leadership looks like in critical infrastructure: clear governance, technical precision, and a direct line between security outcomes and operational stability.

Patrick Opet

(LinkedIn)

Running cybersecurity at JPMorgan Chase means defending one of the most complex and targeted environments in the world. Patrick Opet, Global CISO, directs security across a financial and technology ecosystem that supports millions of customers and some of the largest markets on the planet. His work combines software assurance, supply chain integrity, and financial infrastructure security into a single operational strategy that runs around the clock.

Turning enterprise security into an engineering function

Opet’s approach reflects how modern banking security has evolved. He oversees a cybersecurity budget of roughly $600 million and a technology organization of more than 57,000 engineers. Under his leadership, security is embedded into how systems are built and maintained, not managed as a separate control layer. That model treats code integrity, dependency management, and infrastructure assurance as part of software delivery, ensuring that every release aligns with risk and compliance objectives.

He places strong emphasis on securing the digital supply chain, an issue that has become critical as financial institutions depend on an expanding network of APIs, SaaS tools, and open-source components. His team focuses on continuous validation of software provenance, third-party integrations, and configuration consistency across thousands of applications. This scale demands engineering automation and governance precision that few organizations can replicate.

Defining the future of financial system security

Opet’s leadership extends beyond JPMorgan Chase. He is an active voice in advancing cybersecurity standards for the financial sector, advocating for stronger collaboration between banks, technology providers, and regulators. His experience provides a clear view into how large-scale institutions can modernize security without slowing innovation or violating regulatory boundaries.

Key achievements

• Global CISO, JPMorgan Chase
• Oversees a cybersecurity budget of approximately $600 million
• Leads a global organization of over 57,000 technologists
• Key advocate for software supply chain security across the financial sector

Opet’s work demonstrates how cybersecurity in financial services has become a true engineering discipline: data-driven, deeply integrated, and built for scale in a world where resilience equals trust.

Rich Agostino

(LinkedIn)

Retail runs on constant availability and customer trust, which makes it one of the hardest environments to secure. Rich Agostino, Chief Information Security Officer at Target, leads security across a global retail and technology network that processes millions of transactions every day. His work defines what modern retail security looks like: integrated, intelligence-driven, and engineered for both speed and resilience.

Building a security model that learns and adapts

Agostino’s leadership is grounded in proactive defense. He oversees programs that fuse threat intelligence, product security, and fraud prevention into a single operational view. This approach allows Target to spot patterns across point-of-sale systems, cloud infrastructure, and digital applications long before they become incidents. His emphasis on automation and intelligence sharing enables the security organization to act in real time while keeping customer experience unaffected.

Under his direction, Target has strengthened its software assurance and vulnerability management pipelines, ensuring that code deployed across retail systems meets enterprise security standards. His teams continuously assess supplier dependencies, third-party integrations, and internal software components to maintain visibility across the full product ecosystem. This level of precision is rare in retail environments that rely on distributed systems and constant product iteration.

Driving industry collaboration and shared defense

Agostino’s influence extends well beyond Target. As Chair of the Retail and Hospitality Information Sharing and Analysis Center (RH-ISAC), he has pushed for collective intelligence and coordinated response across the industry. His leadership in that space has improved how organizations exchange data, respond to attacks, and strengthen the resilience of shared supply chains.

He is also a frequent public voice in discussions about security maturity, incident response, and retail technology modernization. His induction into the CSO Hall of Fame recognizes a career defined by practical leadership and measurable outcomes.

Key achievements

• Chief Information Security Officer, Target
• Chair of the Retail & Hospitality ISAC
• Inducted into the CSO Hall of Fame
• Leads global cybersecurity and technology risk management programs at Target

Agostino’s work shows how large-scale retail operations can build security programs that evolve as fast as the business they protect: data-driven, collaborative, and operationally grounded.

Praveen Vijay Gopal

(LinkedIn)

In healthcare, the margin for error is measured in lives, not downtime. Praveen Vijay Gopal, Global CISO at Abbott, leads cybersecurity across a portfolio that includes medical devices, diagnostics, and connected health systems used around the world. His work defines what it means to integrate product security into regulated and safety-critical environments where reliability and trust are inseparable from patient outcomes.

Engineering security into every stage of the device lifecycle

Gopal’s leadership focuses on securing the entire lifecycle of connected medical products, from design and manufacturing to deployment and long-term maintenance. His programs embed risk analysis and threat modeling into product development, ensuring that every device meets regulatory and safety expectations before it ever reaches the field.

Under his direction, Abbott has implemented a comprehensive approach to device cybersecurity that addresses firmware integrity, data encryption, and secure communications for IoT-enabled systems. This includes continuous monitoring, vulnerability disclosure coordination, and post-market incident readiness, which are essential for managing risks in distributed healthcare environments.

He also plays a leading role in aligning cybersecurity with global healthcare compliance frameworks. That includes mapping product assurance processes to FDA, EU MDR, and other international standards so that regulatory reporting and security validation move in lockstep. This integration allows Abbott to innovate quickly while maintaining the strict governance healthcare demands.

Leading the conversation in health technology security

Gopal is an active voice in the health tech community. He frequently presents at events such as the Healthcare Security Summit and HIMSS, sharing insights on securing connected devices and scaling cybersecurity programs across clinical operations. His published work in health technology journals adds further depth, offering practical guidance to both product builders and healthcare providers navigating complex regulatory and technical ecosystems.

Key achievements

• Global CISO, Abbott
• Leads cybersecurity transformation across medical devices and connected systems
• Frequent speaker at the Healthcare Security Summit and HIMSS
• Published author in health technology and cybersecurity journals

Gopal’s work illustrates how cybersecurity becomes part of the core design principle in healthcare technology: structured, evidence-based, and aligned with the realities of patient safety.

Devon Bryan

(LinkedIn)

Few leaders bring the range of experience that Devon Bryan does. As Global Chief Security Officer at Booking Holdings, he oversees cybersecurity for one of the largest digital travel and fintech ecosystems in the world. His role covers millions of daily transactions, sensitive consumer data, and a platform that connects travel, payments, and logistics across continents.

Applying cross-sector expertise to modern risk

Bryan’s background spans government, finance, and healthcare. Before Booking Holdings, he led cybersecurity at ADP, the Federal Reserve, and BlueCross BlueShield. That mix of regulated industries gives him an unusually broad understanding of how compliance, data privacy, and product engineering intersect in real-world environments.

At Booking Holdings, he has built programs that treat security as both a business and engineering function. His teams focus on secure software delivery, global data protection, and operational resilience across a network of high-traffic brands. The scope includes fintech integrations, third-party APIs, and digital identity systems that must operate securely in multiple jurisdictions. This means balancing speed, regulation, and customer trust under one cohesive strategy.

Bryan is also known for promoting diversity, equity, and inclusion in cybersecurity. He co-founded the International Consortium of Minority Cybersecurity Professionals, an organization that mentors and advances underrepresented talent across the industry. His leadership philosophy combines technical depth with a strong focus on team culture and long-term capability building.

A consistent voice in the security community

Bryan frequently speaks at RSA, SANS, and other leading conferences, where he shares lessons from building security programs across different sectors. His public insights often center on resilience, career growth, and how leadership decisions translate into measurable risk outcomes.

Key achievements

• Global Chief Security Officer, Booking Holdings
• Co-founder of the International Consortium of Minority Cybersecurity Professionals
• Former cybersecurity leader at ADP, Federal Reserve, and BlueCross BlueShield
• Frequent speaker at RSA, SANS, and other major security conferences

Bryan’s work reflects a complete view of modern security leadership: technical precision backed by cross-industry experience and a clear commitment to building stronger and more diverse security teams.

Real leadership is built on impact

What sets these leaders apart isn’t the size of their teams or the weight of their titles. It’s how they move the field forward. Each of them brings something rare to product security with their deep technical insight, domain mastery, and a record of turning complex challenges into repeatable outcomes. They shape how organizations build, secure, and scale products that the world relies on.

If you care about staying ahead of real-world security issues, follow their work. Find them on LinkedIn, listen to their podcasts, and catch their talks. They consistently share lessons that come from experience.

At AppSecEngineer, we focus on the same mission: helping teams build security into every product decision. Our hands-on labs and learning paths teach developers, architects, and security engineers how to apply secure design thinking in real-world workflows. Because great security leaders aren’t born from titles or slides. They’re built from doing the work, one product at a time.