Sergej Epp’s journey into cybersecurity started with a hands-on lesson. As a student, he built a simple web server, which was quickly compromised due to a vulnerability. Instead of stepping away, the experience sparked his interest in understanding how systems work and how to secure them. That curiosity laid the foundation for a career focused on strengthening cybersecurity at both the technical and strategic levels.
After leading global cyber defense efforts at Deutsche Bank and spending more than six years as CISO at Palo Alto Networks, Sergej recently became the Chief Information Security Officer at Sysdig - a global leader in cloud and open source security. His focus now lies at the core of modern enterprise defense: securing cloud-native environments, managing supply chain risk, and embedding awareness throughout the organization.
In this conversation, Sergej reflects on the evolving threat landscape, the growing demands on CISOs, and why effective leadership begins with engagement - not fear.
“It started quite early for me. I was still in school and had published a small web server I coded myself. Within two days, someone found a vulnerability and exploited it. I was angry, yes - but mostly intrigued. That moment pulled me into the world of security. What keeps me in it is the pace. Cybersecurity is one of the most dynamic fields - cloud, blockchain, containers, AI... There's always a new wave of innovation that forces us to adapt fast. You’re constantly learning. And for someone who’s endlessly curious, that’s addictive.”
“It’s not the technology, as many might assume - it’s the strategic blind spots. Too often, organizations either don’t have a clear understanding of their actual risk exposure or assume that simply having security tools in place means they’re protected. That mindset is risky. I frequently see oversimplified security strategies and a lack of realistic testing. Without simulating real-world attack scenarios, it’s nearly impossible to prioritize defenses effectively. And fixing everything is simply a pipe-dream. That’s why I’m a strong advocate for red teaming, simulations, and assume-breach thinking; especially in regulated sectors like finance, where operational resilience can impact the entire industry or economy.”
“AI is accelerating both the volume and precision of attacks - from more convincing phishing emails to realistic deepfakes. CISOs need to get ahead of this by clearly defining ownership of AI-related risks across legal, compliance, and engineering teams. It’s not just about policies - it’s about visibility. You need to understand how AI is being used internally and what exposures that creates. At the same time, invest in AI-powered security platforms that can detect anomalies in real time, automate response workflows, and help reduce operational complexity. And even with the best tools, a culture of awareness and education remains your strongest line of defense.”
“Absolutely. AI has enormous potential to amplify defense. We’re already seeing copilots helping security teams triage alerts, detect threats, and improve visibility. But that only works if security is baked into the AI lifecycle. I believe CISOs are becoming Chief AI Security Officers in many ways. We have to define measurable KPIs and ensure our AI systems can defend against manipulation, data poisoning, and misuse. AI won’t replace human expertise, but it should augment it in powerful ways.”
“There’s often a mismatch in expectations. CISOs are held responsible for everything, yet the rest of the organization isn’t always equally engaged in security efforts, and cyber literacy at the board level is still lacking in many cases. It’s important to help executives see behind the curtain and build confidence in their security decisions. Fortunately, things are starting to shift. Regulations like NIS2 are making boards legally accountable for cybersecurity. That’s an important step, but only if it leads to real engagement. The key is not to create fear, but to inspire shared ownership. One of the most effective moves I’ve seen is when board members ask their teams: ‘What value does cybersecurity bring to your work?’ That kind of question changes the dynamic - and helps take the CISO out of the crossfire.”
“It starts with a realistic, risk-based approach. You can’t secure everything equally, so focus on what matters most and build strong defenses around it. Core practices like Zero Trust, runtime security, and network segmentation help limit the impact of breaches. And identity security is critical, attackers often exploit it to move laterally. There’s no silver bullet, but layered, well-integrated controls go a long way.”
“We won’t achieve digital sovereignty in Europe without strong, collaborative cybersecurity. It’s not just a company problem, it’s a political, economic, and cultural challenge. We need cross-sector collaboration: security leaders, regulators, researchers. We’re all in the same boat and the sooner we act like it, the better prepared we’ll be.”
“It’s a great honor, of course - but more than that, it’s an opportunity to shine a spotlight on cybersecurity as a strategic and societal priority. I want to use that platform to help elevate others in the field and make cybersecurity more visible - especially to those outside the industry. Collaboration is a big part of that. Events that bring together CISOs, startups, tech vendors, and researchers are essential. We need perspectives from across the ecosystem - from cloud to detection to identity - to strengthen our collective defenses. No single player has all the answers, but through open exchange and shared learning, we move the entire field forward.”
Discover how a deepfake cyber attack on your company could look like.