Cyber Resilience: Interview with 7-Time CSO Roger Hale

Most boards now ask about cyber risk. Most executive teams now treat cybersecurity as a business-continuity function. And most CISOs still struggle to translate technical posture into language their directors can act on. The gap between cyber awareness and cyber resilience has widened even as budgets have grown, and that gap is not closing on its own. At RSAC 2026, we sat down with someone who has closed it from the inside seven times over: Roger Hale, a 7-time CSO whose career spans Fortune 500 enterprises, venture-backed unicorns, and post-breach turnarounds.

What Roger shared in our conversation was direct, framework-grounded, and focused on what most resilience programs still get wrong. The conversation kept returning to a single organizing idea: a cyber resilience strategy is not a product category or a tool stack. It is a governance posture, measured in recovery time, underwriter evidence, and the quality of the conversation the CISO can have with the board.

Who is Roger Hale, and why does his perspective matter?

Roger Hale has spent more than 25 years in security leadership, serving as CSO, CISO, or CIO at Fortune 500 enterprises and venture-backed unicorns, including Agora, BigID, Informatica, and Veritas/Symantec. At Broakan, Roger was the company's first Information Security Officer and led the response to a case that resulted in a $112 million intellectual-property judgment. At Agora, he built out the company's first CSO function and certified the platform under China's CAC and MIIT frameworks for large language models, then stood up the organization's ISO 42001 program for AI management. He is a founding member of Silicon Valley CISO Investments (SVCI), the CISO-led angel syndicate, and currently serves as Managing Director at Broakan, a fractional CSO and CISO practice based in Austin, Texas.

In short, Roger has built cyber resilience programs seven times, across seven different operating environments. His perspective bridges the boardroom and the SOC, the insurance renewal negotiation and the incident response tabletop. He has seen which approaches survive contact with reality and which ones do not.

Watch the full conversation

The RSAC 2026 conversation nobody is having

RSAC 2026 was, by every measure, the AI show. When we walked the halls at Moscone, every second booth was selling AI-for-security, security-for-AI, or both. When we asked Roger what conversation leaders should be having instead, he was direct.

As Roger put it:

"AI is the new 'if you don't have it, you're not applicable right now.' But the conversation that really is going to come back to is resiliency. Everything is more segmented, more microservices, more distributed. And in that area, the resiliency of your organization, and how you're able to maintain your services when things don't go well, really needs to be a little bit stronger conversation."

The architectural reality underneath Roger's point is hard to argue with. Enterprise environments have shifted from monolithic stacks inside a perimeter to distributed systems spanning cloud workloads, on-premises OT, SaaS tenants, and edge devices. That distribution adds capability, but it also adds failure points. A cyber resilience strategy, in Roger's framing, is the discipline of building a business that keeps running when any of those failure points triggers. It is not a single tool. It is the tested ability to fail and recover without customers noticing.

For leaders at RSAC 2026, this reframing matters. If you are booked sessions on AI governance and large-model risk, we hope you also booked the sessions on backup integrity, failover testing, and identity recovery. Our RSAC 2026 essential agenda for CISOs covers the resilience-oriented track in detail.

Real-time expectations and the new business case for resilience

The second through-line in our conversation was operational: customer and partner expectations around recovery time have collapsed. A decade ago, a ten-minute outage was an operational footnote. Today, it is a revenue event, a social-media event, and often a board event.

Roger described it this way:

"Your communication is able to failover, continue to flow, before human intervention, before someone even gets an alert going. The expectation on the internet now, and for everything, is real time. It's not 'well, we'll get it back up in ten minutes.'"

This is the operational bar a modern cyber resilience strategy has to clear. Recovery objectives measured in hours or days no longer match what customers expect, what regulators are starting to require, and what cyber insurers are using to evaluate risk. Roger's framing lines up with the detection and containment data: IBM's 2024 Cost of a Data Breach report found that organizations still take an average of 258 days to identify and contain a breach. The gap between that measured reality and a real-time expectation is the gap every resilience program is trying to close.

Resilience, in this sense, is not a side project. It is the evidence that business continuity and security are working as one function. Roger was clear that the tech stack matters, but the implementation of the tech stack matters more. No single point of failure. Automated failover. Logs, telemetry, and investigative evidence captured without human intervention. This is also the layer where testing cyber resilience with tabletop exercises stops being a compliance activity and starts being the program's primary quality gate.

Cyber insurance, contractual obligations, and the evidence you need

From real-time recovery, the conversation moved to a second forcing function that is reshaping how resilience programs get built: cyber insurance. Roger's view is that most organizations treat cyber insurance as a procurement line item when it should be treated as a resilience requirements document.

As Roger explained:

"Everyone has business insurance. But do they have cybersecurity insurance? And what does it take to get that cybersecurity insurance to pay off? There have been some very public breaches where they did not meet their contractual obligations with that cybersecurity. So they have to be able to have that information, they have to be able to do that investigation. If they can't prove that, then the cyber insurance doesn't pay out. And that hurts the entire company."

Cyber insurance requirements have tightened significantly across the 2024 and 2025 renewal cycles. Underwriters now ask for specific controls, tested recovery procedures, and incident evidence before paying claims. When a breached organization cannot produce the telemetry, segmentation evidence, or access logs that its policy required, the financial impact compounds: the breach cost, the legal cost, and the denied claim all arrive together.

This is why the evidence layer of a cyber resilience strategy has moved up the priority list. Every resilience architecture question now has a parallel insurance question. Can you produce the logs? Can you prove lateral movement was contained? Can you show which identities had access and which did not? The answer has to be yes before the claim, not after. This is also where preventing ransomware through microsegmentation becomes as much a cyber insurance conversation as it is a security one.

What boards actually need to understand about cybersecurity

The third theme Roger returned to was the one most CISOs find hardest: the boardroom. Roger noted that NACD (National Association of Corporate Directors) is increasingly advising boards to include cyber expertise at the director level, and that CISOs, in response, are learning how to "speak finance" to communicate with their boards.

That translation is where most programs still stall. Roger described one of his own boardroom exchanges: "I had a conversation with a board where they asked, Roger, if we give you all the people and all the money you're asking for, will we be secure? And the response was, if you don't support the entire program, not a project, and give me monies and people as we grow, then we can't be secure."

He extended the point into a framing every CISO can use:

"Security is not perfect. It's always going to be a risk-based quantification, and you're never going to reach a perfect number. So where are you at today? Where are you at tomorrow? Did you move the needle in the right direction? That's your board conversation."

This is the structural answer to the CISO board reporting problem. The board does not need a vulnerability count or a list of closed tickets. The board needs the delta. Where is the program today on a risk-quantified scale, where will it be after the next investment cycle, and what is the rate of improvement? The SEC's four-business-day incident disclosure rule, combined with the NIST Cybersecurity Framework 2.0 Govern function, reinforces this shift. Cyber posture is now a board-visible, continuously reported metric, not a once-a-year update.

The practical implication: resilience reporting and financial reporting need to share the same vocabulary. Budget cycles, capital expenditure decisions, and risk transfer decisions (including cyber insurance renewals) all depend on the same underlying quantification. The CISOs who can translate residual risk into dollar-denominated board language are the ones who get the program, not the project. For planning teams, our 2026 cybersecurity budget planning guide walks through the numbers in more depth.

Identity is identity: the conversation Roger wants the industry to stop having

The most distinctive moment in the conversation, and the one that most clearly separates Roger's view from the current RSAC floor, came when we asked what he would change if he could snap his fingers and pick one thing that would move the needle on cyber posture. His answer was about identity, but not the way most vendors are framing it in 2026.

In Roger's view:

"There's a lot of noise right now about non-human identity management. And I would love to snap my finger and stop the conversation about non-human identity and have the conversation just about identity. The way that we're acting today, the way the technology is running today, if you're an AI bot, if you're an API call, if you're a human, if you're a service account, that interaction, the idea about how and what you're doing and what you actually have access to needs to be a holistic conversation, not a 'them versus us.'"

This is a contrarian take on a category that has exploded over the past 18 months. Non-human identity is, functionally, a real operational concern. Service accounts, API keys, AI agents, machine identities, and workload identities do now outnumber human identities in most enterprise environments. But Roger's point is that splitting identity into two product categories (human and non-human) reinforces the fragmentation that makes enforcement hard in the first place. An attacker does not care whether the stolen credential belongs to a human or a service account. The policy needs to evaluate the request on its merits: what identity, for what action, against what resource, under what context.

Holistic identity management, in Roger's framing, is the architectural premise. Every access decision (human, machine, agent, API) evaluated under one policy fabric. This is directly relevant to the conversation about AI agent identity in network security, because the AI agent is just the newest identity type asking the same old question: should this interaction be allowed? This holistic identity framing is the architectural premise identity-based microsegmentation platforms are built on.

The career advice Roger would give anyone starting in cyber today

Before closing the interview, we asked Roger what he would tell someone just getting started in cybersecurity today. His answer was characteristically direct, and more about posture than technical skill.

"Practice being uncomfortable. The parts of the role, the parts of the opportunities that are uncomfortable, lean into those. That's how you learn the fastest, and that's how you build that comfort level to where what's uncomfortable is now something that's more relaxing and doesn't drain you of all your energy for the day."

The advice sounds personal, but it maps directly to what we had just been discussing. Cyber resilience, board literacy, holistic identity, and insurance-ready evidence are all uncomfortable conversations for most security programs. They require the CISO to speak finance, to push back on the board when the program gets confused with a project, and to challenge the industry when the industry is selling two categories where one is needed. Roger's career, seven CSO tours and counting, is itself the proof that the discomfort is the development path.

Frequently Asked Questions About Cyber Resilience Strategy

How do enterprises build a cyber resilience strategy?

A cyber resilience strategy combines prevention, detection, containment, and recovery into a single operating posture anchored to business-continuity outcomes. It starts with a quantified understanding of which services must continue during an incident, the acceptable recovery objectives for each, and the dependencies (identity, network, data, supplier) that each service relies on. It is tested continuously through tabletop exercises and live failover drills, not documented once a year. The NIST Cybersecurity Framework 2.0 provides the canonical structure, with the Govern, Identify, Protect, Detect, Respond, and Recover functions mapping directly to the resilience outcomes boards and underwriters now expect.

How do security leaders justify mitigation investments to the board?

Roger's framing is the shortest answer: tell the board where the program is today, where it will be tomorrow after the proposed investment, and whether the needle is moving in the right direction. Translate control gaps into financial exposure, not technical deficiency. A $10 million denied cyber insurance claim is a number the board can act on; a missing log source is not. Pair every investment request with the residual risk it is designed to reduce and the evidence standard it is designed to meet, including the specific cyber insurance requirements and SEC disclosure obligations tied to the control.

What cybersecurity metrics matter for board reporting?

The metrics that matter at the board level are the ones that translate into business-continuity and financial language: recovery time objective (RTO) and recovery point objective (RPO) per critical service, the mean time to contain a material incident, the percentage of the environment under tested resilience controls, and the residual risk expressed as quantified financial exposure. The NACD Director's Handbook on Cyber-Risk Oversight guides directors to ask for cyber metrics in enterprise-risk terms, which is the vocabulary CISOs should use. Vulnerability counts and ticket close rates belong in the CISO dashboard, not the board deck.

How can I quantify and report Zero Trust benefits to executive leadership and the board?

Zero Trust benefits are easiest to quantify when they map to specific resilience outcomes: reduced blast radius during an incident, faster containment time, and the ability to produce the access evidence cyber insurance carriers require. Report the reduction in east-west attack surface (number of identities that can reach critical resources before versus after policy enforcement), the containment time difference measured in tabletop exercises, and the control evidence the program can now produce automatically for underwriters and regulators. Roger's "did you move the needle" framing applies here too. The board does not need a Zero Trust maturity score; it needs to know whether the program's residual risk dropped, by how much, and at what cost.

The conversation cybersecurity needs to have next

The through-line across Roger's seven CSO tours is a cyber resilience strategy that treats governance, identity, insurance, and board literacy as one connected system. Resilience is not the prevention posture with a backup plan attached. It is the tested ability to keep the business running when things go wrong, measured in recovery time, quantified in dollars, and evidenced to underwriters and regulators in real time. The tech stack matters, but the implementation of the tech stack matters more. And the identity layer underneath that implementation is one problem, not two.

For security leaders, the operational takeaways are concrete. Quantify the exposure in financial terms your board can act on. Test the resilience assumptions in tabletop exercises before an incident tests them for you. Treat human and non-human identity as one policy fabric. Build the evidence layer your cyber insurance carrier will ask for at renewal, before you need it. And report the delta, not the absolute number, because the board conversation Roger described is always about whether the needle moved.

For leaders building the identity-first resilience posture Roger described, explore how identity-based microsegmentation enforces human and non-human identity as one policy fabric. As Roger would say, practice being uncomfortable. That is where the resilience conversation starts.

Further reading

• Our conversation with Forrester's David Holmes on zero trust microsegmentation
• Cyber resilience best practices: tabletop exercises for testing lateral movement
• RSAC 2026 essential agenda guide for CISOs, architects, and Zero Trust leaders
• 2026 cybersecurity budget: complete enterprise planning guide
• AI agent network security and microsegmentation in 2026
• HIMSS 2026 zero trust segmentation and privilege takeaways
• Preventing ransomware through microsegmentation: a 2025 guide to zero trust