Of all the individuals Tech Monitor has interviewed so far for this section, none fits the bill of a ‘Mover and Shaker’ more than Ishpreet Singh. Essentially a list of stints at the most dynamic shops in cybersecurity, Singh’s CV includes senior positions at Splunk, Imperva and Qualys, as well as a prized seat on CNBC’s prestigious Executive Tech Council. Recently appointed the CIO of Black Duck, the cybersecurity veteran is eager to make his mark anew at the relaunched and revitalised firm, now fully separated from its former owner, Synopsys.
“There are so many opportunities for us as an independent company to meet incipient cybersecurity challenges,” Singh told Tech Monitor. “The security challenges in software-born vulnerabilities, for example, are only increasing. So too are those risks deriving from mainstream adoption of AI.” In the following conversation, edited for length and clarity, Singh explains his ambitions for Black Duck as the new-old kid on the block – and the pitfalls other cybersecurity CIOs would be well-advised to avoid.
You’ve held prominent positions at Qualys, Splunk and Imperva. Why did you want to join Black Duck?
Ishpreet Singh: First and foremost, I wanted to join an award-winning team with a simple but clear mission: to secure the customer’s software without slowing down their developers. And to achieve that goal as CIO I have so many tools and teams that I can call on, beginning with our comprehensive vulnerability management solutions through to our customer advisory program and AI-powered security solutions. What’s more, the teams running those products are supported by a small army of researchers and engineers in our Innovation Lab and Cybersecurity Research Centre. They’re constantly on the lookout for new challenges – for example, creating contextually accurate SBOMs [software bills of materials] for compiled langs like C/C++, where the SBOM might differ based on the target’s CPU architecture. In a nutshell, their good work positions me to help position Black Duck as a security powerhouse!
What are your key priorities as CIO?
Long-term, my main priority has to be to enhance Black Duck’s security posture, the better to protect customers and the company itself. That means ensuring compliance with key regulations – think SBOM mandates, ISO 27001, SOC 2 – and enhancing zero-trust architecture to protect sensitive customer data. I’m also committed to maintaining a strong cyber-resilience strategy for the firm, guaranteeing a rapid response to any emerging incidents and ensuring disaster recovery mechanisms are in place.
More broadly, I’m always seeking to scale Black Duck’s IT infrastructure, implementing AI-driven automation in our internal systems to boost the firm’s operational efficiency wherever possible. That also means making our systems leaner and meaner for our sales, marketing and G&A functions and collaborating regularly with governments and regulatory agencies to ensure that our security compliance solutions remain at the cutting edge of what the market needs and requires.
How have these priorities been shaped by your previous experiences at Qualys, Imperva and Splunk?
My experience in enterprise security, cloud transformation, AI adoption, and operational scale-up allows me to address gaps between business strategy, cybersecurity resilience, and technology innovation. As software supply chain security, open-source risks, and DevSecOps maturity become enterprise priorities, my expertise will help transform Black Duck into a provider of AI-powered business solutions.
At a deeper level, my experience at those companies has taught me always to approach my goals as a CIO holistically. A cybersecurity company must consider security as a fundamental business strategy rather than merely a compliance requirement. Prioritising security as a growth opportunity and an enabling function is essential, beginning with the initial customer engagement.
At Black Duck, I’m lucky in that the CISO reports directly to me, but I’d recommend to my peers who aren’t in that situation to make it their business to know as much as they possibly can about their firm’s cybersecurity posture – after all, you can only secure what you know. From there, that posture should be strengthened across the board, with that overall goal cascaded down through your teams to build out the kinds of capabilities that’ll allow you to take on any challenge. I’ve often found a lot of companies try to approach that problem by tackling their core compliance requirements first but, if you start with that wider objective in mind, you’ll end up ticking all those regulatory boxes automatically.
And how are you leveraging AI, externally and internally?
AI is embedded into our offerings to leverage emerging technologies, the better to maintain our competitive edge. Without AI, I’ve found that AppSec becomes slow and inefficient, increasing risks, delaying fixes, and overloading security teams.
AI has proven incredibly useful for us in several respects. Our AI-powered application security assistant tool, for example, analyses application code contextually, reducing false positives by understanding actual execution behaviour rather than just pattern matching. We also lean heavily on machine learning-based prioritisation, wherein our proprietary models rank vulnerabilities based on exploitability, business impact, and risk severity, ensuring teams focus on critical threats first. Our Software Composition Analysis (SCA), meanwhile, generates and updates SBOMs, ensuring real-time visibility into open-source risks and snippet analysis for AI-generated code.
We have been eager to adopt new advances in AI and, more specifically, LLMs as and when they’re released. We make it our primary mission to do so securely, ensuring controls are in place. Additionally, one element of our roadmap with customers is that we want to provide flexibility for our customers based on needs and comfort level, offering to provide them with an LLM or allowing them to provide an LLM when an engagement involves source code.
AI provides huge advantages to innovation and velocity. However, with new technological advancements come the introduction of new risks in the threat landscape. For me, it’s incredibly important to roll out new tech cautiously and securely, ensuring that there are mechanisms and controls in place to leverage the benefits with security as an aspect of your strategy.
Where do you see the main challenges for cybersecurity firms manifesting? And how are you positioning Black Duck to respond to those challenges?
There are so many. The impact of AI is a big one, not least given its potential to rapidly transform development workflows and all the security and IP risks that brings. The changing risk landscape of the software supply chain is another area that keeps me up at night. That’s only likely to get more complex for our customers as regulators ask for ever-greater transparency on IT supply chains.
The growing complexity of application security is another emerging challenge. The field of application security testing, after all, is more integrated and automated in development workflows than ever before. This can be a good thing: fundamentally, it helps teams better detect and deal with security defects in their software early, minimising the likelihood they will make it into the final product where they can impact customers directly. But, as software development has itself become more complicated, so too has the work to secure that software. Companies are always looking for ways to reduce the “noise” caused by security testing so they can focus on the issues that pose the highest risk to their organisation, users, and customers.
Then there’s the regulatory landscape, particularly as it pertains to software supply chains. The Biden administration’s executive orders on cybersecurity put agencies, vendors and their suppliers on notice that they would need to be more transparent and accountable for their application security practices. Likewise, the EU Cyber Resilience Act (CRA) will be driving changes to security practices in any company selling products in the EU. Organisations are always trying to understand and react to these events in real time and look to vendors like us both for guidance and comprehensive compliance solutions.
Read more: Cybersecurity firms have developed great cures but have failed to administer them effectively, says Cato Networks’ Shlomo Kramer
