BeyondTrust CISO Sean Malone shares his playbook for aligning security with business goals, tackling cloud risks, and evolving identity-first defenses.
In today’s threat landscape, effective cybersecurity leadership demands more than technical expertise—it requires business alignment, agility, and a deep understanding of adversary tactics. Sean Malone, CISO at BeyondTrust, brings a rare blend of offensive and defensive experience, combined with a startup founder’s mindset and a business leader’s strategic foresight. I
n this conversation, Malone shares his playbook for building security programs that scale with the business, drawing on lessons from Amazon Prime Video to fast-moving startups. He discusses the evolving role of the CISO as a translator between security and business risk, how cloud-native strategies can balance developer velocity with strong governance, and why identity is the linchpin of modern security. Whether it’s redefining privileged access management in a zero-trust world or applying red team insights to harden real-world defenses, Malone offers a grounded, forward-thinking perspective on securing what matters most.
Full interview;Â
You’ve built and transformed security programs at major organizations like Amazon Prime Video. What’s your playbook for aligning security strategy with core business goals from day one?
It’s important for security leaders to embrace their role as business leaders fully. I think of myself as a business leader focusing on securing information systems, rather than a security person operating at the business level. This mindset helps to ensure that my security programs are calibrated to help the business succeed.
As a CISO who’s also been a successful entrepreneur, how do you think the mindset of a startup founder helps shape more agile, business-savvy security leadership?
I’ve had the opportunity to work with all sizes of organizations—from a three-person startup to Accenture and Amazon. This breadth of background provides a diverse set of experiences to draw upon. I think of it as having lots of different types of tools in my toolbox, with the ability to use the right tool for the job. Sometimes, a security program needs the agility & urgency of a startup, but sometimes it’s also necessary to incorporate the discipline and rigor of more mature organizations.
Also Read: Is Identity the New Cybersecurity Front Line?
With growing expectations around security transparency and communication, how do you balance the need for executive-level clarity with the complexity of modern threats?
The primary role of the CISO is to help the business make prudent risk management decisions. This requires translating high-level business objectives into complex, technical security requirements. I seek to tailor my message to the needs of specific business audiences so everyone, from finance to sales to engineering, understands how security objectives fit into overall business outcomes.
You’ve led offensive (red team) and defensive security efforts—how does this dual perspective shape your approach to securing cloud-native and hybrid environments at scale?
My roots are on the offensive side, where I spent ten years attacking enterprises with well-funded security programs. Our red team was typically able to achieve objectives that would materially damage the business, without containment and eradication by the blue team. Frequently, this stemmed from a failure of imagination combined with thinking in terms of checklists of security controls, rather than trust relationships and attack paths. I deploy this adversary mindset when designing security programs and architectures, with a knowledge of what defenses actually make life more difficult for the adversaries.Â
In your experience, where do most cloud security strategies fall short—and how can organizations close those gaps without creating friction for developers and ops teams?
In legacy on-premise environments, engineering roles were typically specialized and focused on the operation of specific components such as networking, firewalls, or servers.Â
In cloud environments, a single software engineer may have the ability to deploy complete architectures and expose them to access from the Internet. Because of this, it’s important to maintain layered defenses not just in the architecture deployed, but in the change management for that architecture. This includes mandating universal infrastructure-as-code, source code protections, code reviews, security scanning prior to deployment, configuration and event monitoring after deployment, and reducing human access to production environments. Most of these are not security-specific controls—instead, they are prerequisite elements of great engineering, which make great cloud security feasible.
Also Read: How ProcessUnity’s Todd Boehler Sees the Future of GRC
With BeyondTrust’s focus on identity and privileged access, how are you evolving PAM (Privileged Access Management) to meet today’s challenges around zero trust and lateral movement?
My red team background taught me the importance of identity security. In every adversary simulation engagement, we found that actual exploitation of software or system vulnerabilities was a very small part of the overall engagement. We spent most of our time abusing trust relationships that provided a path to privilege in the target environment. By the time we were ready to complete our end objective, we were not exploiting the system; we were simply logging in with stolen credentials after pivoting through the internal network.Â
I’m excited to work closely with the BeyondTrust team focused on solving this challenge. It starts with assessing the risk of these identity attack pathways in the environment, and then leveraging modern PAM solutions, as necessary, to prevent an adversary from abusing those paths to access critical systems. This includes deploying Just-in-Time (JIT) access controls that continuously (and seamlessly) assess connection requests, to make smart access decisions based on all available security telemetry.Â
