We recently had the chance to sit down with Bronwyn Boyle, CISO at leading fintech firm PPRO, a global payments platform that connects local transactions across borders.
With three CISO positions under her belt, Bronwyn brings a wealth of experience to the finance and cybersecurity communities.
She channels her perspective into tackling present-day industry problems and is an active advocate for cyber psychological resilience, increased neurodiversity in the cyber workforce, and resisting burnout at all levels.
In this article, Bronwyn discusses her journey into the field, the biggest threats facing finance, and how CISOs can empower their teams through tough times — while still getting some sleep at night.
How Did You Get Into Cybersecurity?
Bronwyn Boyle (BB): I started in the dot-com era, back in the mists of time where security is concerned. We were doing software engineering back then, and I was working for a full-scope consultancy that did it all: business design to technical requirements to building code, testing, and implementation.
It was a great place to get my start, especially since everyone was eager to build a web presence back then, so I got a chance to work on some super cool, innovative initiatives. But security wasn’t integrated at all, which made me realize a real gap that needed to be addressed.
At that point, I decided to pivot. I did an MSC in cybersecurity and spent a year doing hardcore pen testing; forensics — proper geeky stuff back in Dublin. Then at the charity event, the White Hat Ball, put me in touch with Stephen Bonner, who at the time was something of a legend in the UK security community. At the time, he was leading Barclays’ Information Risk Management team, and he offered me a fantastic opportunity to evolve into the risk and business side of things.
That led me into finance, working for Barclays as Director of Information Risk Management, then to Lloyds Banking, and then to Open Banking, where I headed up Security and Counter-Fraud.
I love my role now at PPRO because we’re really on the cutting edge of driving significant innovation in payments, unlocking business opportunities for small geographies, localities, and individuals who have been underserved by traditional finance, while helping merchants and Payments Service Providers grow by better supporting their customers. It’s something I believe in, and something I’m very passionate about!
What Are the Biggest Threats Facing Finance Right Now?
(BB): This is a fast-moving sector (to put it mildly) and one that is eager to adopt change. Unfortunately, it’s also one in which attackers are moving just as fast.
Deepfake technology challenges legacy controls, such as biometric authentication used for core banking and payment transactions. We’re seeing faster (and better) social engineering and impersonation scams.
Agentic AI is throwing everything for a loop. Many of the basic cyber hygiene problems we still have not solved — permissions, access, provenance — are only trickier with agentic AI layered on top. We were struggling to secure human identities; massive, unblinking agentic AI adoption could only make matters worse.
This is big in finance as we always want to be first-to-market with tools that increase productivity and wins for our customers. The challenge now is to do it with eyes wide open: understanding what you’re willing to risk, what you’re willing to accept, and the tradeoffs that inevitably follow.
Name Some Challenges Facing a CISO in 2026?
Geopolitical influence on data security
(BB): CISOs have a lot to juggle, especially in global, international-facing companies. Geopolitical upheaval has thrown an unexpected wild card into the mix, calling into question some things that we took for granted, even last year.
Questions of data security and sovereignty hang in the balance.
AI-driven supply chain threats
Supply chain threats are also nastier in an AI context, as so much of our digital estate relies on external partners and components. New tech can effortlessly expose vulnerabilities within these less-guarded entities, as we saw when AI was used to identify zero-days in the December attack on React.
Log4j also served as a wake-up call to CISOs everywhere: how much of our services rely on open-source software or other elements that sit beyond our control?
Not enough neurodiversity in the cyber workforce
Another problem is attracting good talent. There’s a huge talent pool across Gen Z and neurodivergent individuals. However, many of these profiles don’t perform well in traditional hiring and recruitment processes: psychometric tests, in-person interviews, etc.
Are we still availing ourselves of their talent — and simultaneously allowing them to succeed? As a CISO, I love to look at grassroots magnets for attracting these types of (potentially knock-out!) employees: things like The Hacking Games are key for identifying who can do the job, regardless of external factors.
We’re getting out-recruited
We also need to avail ourselves of popular watering holes. Cyber-criminals scout gamers, offering them high-value positions in fraud work because of their well-honed technical skills.
We need to be two steps ahead, in these same online forums, recruiting this same talent and offering them a chance to use their skills for good. Only we need to do it first.
How Can CISOs Support Their Teams and Prevent Burnout?
(BB): This is a topic that hits close to home. I had my own wobble a few years ago and have been even more of an advocate ever since.
Psychological resilience skills
That’s why I support Cybermindz, an organization that hits this issue head-on. It takes more than culture when dealing with constant cybersecurity strains; it takes skills.
Their programs are built around proven psychological resilience protocols used in high-stress environments (military, conflict). Cyber experts who have been through the same thing come in to gear it towards cybersecurity, lending it well-versed, compassionate advice.
I feel we should teach these skills as a baseline psychological resilience hygiene factor.
Openness about the human side
Additionally, being open about our own “human element” is key. Nobody here is an agentic AI agent (yet). We’re all dealing with family issues, health factors related to aging, care of parents or children, and a million issues in between that affect our ability to work.
Be mindful of how a mandatory five days in the office affects people on the fringes — people that once could have handled the work-life balance with that added bit of flexibility. And don’t shy away from honest discussions about the X-factors that affect your work. As a CISO, your example will set the tone for the team.
What Keeps a CISO Up at Night?
(BB): The nagging feeling in the back of your mind that the job is not well done. At the end of all things, our core assignment is to reduce risk.
We can’t control what people will do, but we can ensure that things are on the right track.
Is risk visible?
Is it being talked about transparently?
Are the right stakeholders involved in making key decisions?
If these are answered, we can let ourselves get some sleep at night. If they are not — if companies are unwilling to look risk in the face, if we can’t map security concerns to risk outcomes, if we aren’t building the right relationships that garner stakeholder involvement — we might have work yet to do.
But at the end of the day, nothing is done in a day. Internal regulation is key to managing the stress that comes with the job, even as that job is still in progress. And learning to turn our brains off helps us save power for when we need it the most.
Because the best way you can protect your company is to take care of one of its most valuable security investments: you.
Cybersecurity for Your Industry
Your industry is unique. Your cybersecurity stack should be, too. Fortra® offers cybersecurity solutions to meet the challenges and compliance requirements of industries around the world.
