Sitecore information security leadership in the AI era

WHO: Heather Hinton, Chief Information Security Officer at Sitecore

WHAT: Panel discussion - “When Cybersecurity Gets Messy: Ethical Decision-Making Under Pressure.”

WHEN: Monday, March 23 | 1:10–2:00 PM as part of the invite-only Cyber Leaders Forum

WHERE: RSA Conference, Moscone Center, San Francisco

Chief Information Security Officers regularly face difficult decisions when business pressures collide with security priorities. In her RSA Cyber Leaders Forum panel, Sitecore CISO Heather Hinton and fellow cybersecurity leaders will explore a practical Professional Ethics Framework for navigating challenges such as disclosure timing, CXO–CISO tensions, and compliance pressures while maintaining professional integrity and organizational trust. As a global leader in AI-enabled digital experience software, Sitecore helps brands deliver personalized, data-driven customer experiences, making these ethical considerations especially critical as AI becomes central to how companies engage with customers.

With more than 30 years of cybersecurity experience and 85 US patents to her name, Hinton brings deep technical and leadership expertise to her role as CISO at Sitecore. Ahead of her RSA Conference panel, she shared her perspective on ethical decision-making, the evolving role of the CISO, and why enduring security principles remain critical in the age of AI.

The session is invite-only for members of the Cyber Leaders Forum.

Drawing on three decades in cybersecurity, which core principles still guide your work today?

Heather Hinton:
For me, the first principles have not changed at all. The need to focus on solving security problems in a way that balances usability, security and business objectives hasn’t changed. Robust controls and governance over who can access what information, along with protections to prevent unauthorized access, are essential to maintaining confidentiality, integrity, and availability.

The changes in this overall goal over the years are the result of increasing technology advancement and adoption, the speed of change and the impact of this on us as defenders. Consider the desire of a business to run business intelligence and analytics against its data.

This used to be a clunky exercise run against multiple databases; then it was a function run by a dedicated BI and data science team against the aggregated data in a data lake. Now it is incredibly fast and response; AI assisted intelligence and analytics run against the data lake.

These changes are exposing more people and processes to aggregate data that we have previously had to consider or manage. So, while the goals have not changed from when we first looked at data aggregation and database use in the 1970s, the disciplines, tools and techniques to manage need to keep up with this rapidly evolving environment.

This other incredible change is the role of AI in making technology more accessible, consumable, and easier to use. For example, AI helps everyone build API integrations to cloud services; previously this functionality and integration was in the control of a security team. Now it is available to everyone. The “security by difficulty” and “security by roadblock” that used to be the unintentional guardrail limiting access is no longer in place. Again, the disciplines, tools and techniques we have in place to manage our pre-AI-era environments need to adapt (now!) to manage and protect this rapidly changing ecosystem.

Everyone is aware of the rate and pace of change that we are currently experiencing. So if anything, the biggest change is figuring out how I prove to the world that what I am doing to secure our environment is what is necessary for our environment, our business context and that my disciplines have evolved and continue to protect your data and the services you rely on.

What drew you to Sitecore and its approach to AI?

Heather Hinton:
The reason that Sitecore is interesting is because of where we are on the AI journey.

There just aren’t that many companies that are this far advanced. Some people are all in with AI coding. Some people are all in with “every single email is written and revised by AI” Others are all in with using AI agents to complete simple and complex tasks, reducing error and fatigue within individual teams.

But being all in on AI across the company, with every individual within the company thinking about AI, using AI, building AI solutions, is just not what other people are doing.

You’re participating in a panel at RSA on ethical decision-making for CISOs. What inspired that conversation?

Heather Hinton:
Within my peer group, many of us fundamentally believe we need to have a Code of Professional Conduct for CISOs, security leaders and security practitioners. This Code represents professional obligations that we hold ourselves accountable to, and that we can also use as guidance when we are asked to behave in a way that we are uncomfortable with.

Many, if not all professions have a Code of Professional Conduct of some form. Doctors have the Hippocratic Oath, engineers, lawyers, and actuaries all have codes of conduct of some form.

These provide guidance on what is acceptable, and how to hold ourselves accountable for our actions.

The purpose of the panel is to walk through real scenarios where CISOs have been under pressure to make decisions that conflict with professional standards or that expose them personally to unacceptable risk and to use the guidance of a code of professional conduct to navigate these scenarios.

We want to give cyber leaders tools to help them navigate these situations, whether it's a code of conduct, or a “phone a friend” network for support and advice, or understanding how to position risk in a way that helps executives make informed decisions without immediately getting you shown to the door.

CISOs often sit at the center of tension in the C-suite. How should that relationship really work?

Heather Hinton:
A healthy relationship with other executives means understanding what their goals are.

I need to understand what motivates the CMO, what the CIO is trying to accomplish, what the CTO is trying to accomplish, what the sales organization is trying to accomplish.

Then my job is to help them manage cybersecurity risk in a way that supports those outcomes.

With the head of marketing, the conversation is about trust. If customers don’t trust you, it doesn’t matter how much you spend on marketing.

With the head of sales, the conversation is about reducing friction in the sales cycle. Strong security posture and audits help deals move faster.

Security becomes a business enabler when you align it with those outcomes.

Who tends to be the CISO’s strongest ally inside the organization?

Heather Hinton:
On one hand, it should be everyone. At a minimum, it should be the head of legal and risk

Legal and risk teams speak risk the way security speaks risk. It’s slightly different dialects, but it’s a shared language.

The CIO is another one, because they typically drive things like secure workstations and infrastructure.

Product leaders are important because they help set the standards that products are developed to and secured to.

And then there’s the head of sales, because I’m helping unblock deals where customers want to talk to somebody who speaks their language.

CISOs are often called the “Department of No.” Is that still accurate?

Heather Hinton:
We used to be.

But a lot of CISOs are pivoting now to being the Department of “Yes—and.”

You want to run with scissors? Sure. Run with scissors. Here’s the box. You’re going to put the scissors inside the box, and I’m taping the box shut for you.

Now you can run with scissors.

Sitecore has been vocal about its AI strategy. How are you approaching governance and security?

Heather Hinton:
One of the things we started very soon after I joined was recognizing the need for ISO/IEC 42001.

Most people are familiar with ISO/IEC 27001, which is the standard for information security management.

ISO 42001 is the equivalent for AI.

We pushed the business to pursue this even though very few companies had it yet, because it’s how we demonstrate trust.

It shows that we have an AI management system, that we have governance and oversight over how AI is used across the company and in our products.

We’ve already used it defensively in customer deals. When customers send long questionnaires about AI governance, we can say we’re already in process for ISO 42001 and show them documentation from our auditors.

In several cases, that has been enough for customers to say we’ve already exceeded what they were asking for.

How are customers approaching AI risk today?

Heather Hinton:
What customers care about is whether they can use AI in a way that is compliant with the law and that builds trust with their end users.

There’s a sort of transitive trust happening.

They want to know that we’ve looked at the best practices and built the guardrails so that when they use our AI capabilities, they can meet regulatory expectations and customer expectations.

Regulation is changing constantly, and organizations want to know that the platform they’re using has already thought through those challenges.

How do you build a proactive cybersecurity culture instead of a reactive one?

Heather Hinton:
The secret is that everybody loves security stories.

Nobody wakes up and says they want to release something that isn’t secure. What they say is, “I have 17 other things my boss told me to do.”

So, what we focus on is collaboration and enablement.

How do we help teams succeed at what they’re trying to do while building security into the process?

Storytelling helps, too. Everybody loves the story about the incident that almost happened and the people who helped solve it.

And CISOs will always tell you—never let a crisis go to waste. You don’t do the “I told you so” dance because you never win with that (even if you want to do that in private)

But you can say, “If we introduce this discipline now, that won’t happen again.”

That’s often how real cultural change begins.

The evolving role of the CISO

After more than three decades in cybersecurity, Hinton says the biggest shift in the role isn’t technical, it’s organizational and it's the attitude of the organization.

Security leaders who once focused primarily on infrastructure now must understand nearly every part of the business, from product development and marketing to sales and legal. That broader perspective is essential because security decisions increasingly influence how organizations build trust, manage risk, and deliver digital experiences.

“We’re one of the few functions where you probably need to know more about the business than almost anyone else,” she says. “Because you have to influence everything.”

That expanded responsibility is one reason conversations about ethics, accountability, and leadership are becoming central to the profession, and why Hinton and her peers will continue exploring those challenges at the RSA Conference this year.