Software companies present a particular kind of security challenge. The product is the risk surface. Customers are trusting the platform with their data, their workflows, and increasingly their AI-driven decisions, which means security is not just an internal function but a core part of what the business is selling. The leaders in this feature are securing some of Colorado’s most recognizable software and technology companies, from global payments infrastructure to insurance technology to learning management platforms, and doing it in environments where the security program has to keep pace with the product.
Jennifer Carati — Head of Security Governance, Risk, and Compliance, Office of the CISO, Stripe
Jennifer Carati built her security career the way most practitioners would envy: she started by constructing the function from scratch. At TaxJar, she created the IT, security, governance, risk, and compliance programs from the ground up before the company was acquired by Stripe, where she has since held senior roles in the Office of the CISO. Before TaxJar, she completed the company’s first SOC 2 Type 1 and Type 2 audits at eSURETY and managed Azure PaaS and IaaS security across the organization’s cloud infrastructure. Her background spans compliance program development, cloud security, and the kind of foundational GRC work that determines whether a security program actually holds up when it matters.
Greg Biegen — Chief Information Security Officer, TPx
Greg Biegen stepped into the CISO role at TPx in October 2025, bringing nearly a decade of security leadership experience from director-level roles at Vendavo, Cherwell Software, EMS Software, and Quest Software, where he spent nearly five years as director of global cybersecurity. His career reflects a pattern of being handed security programs that need structure and building them into something functional. At Cherwell, he served as primary incident manager on all major security events and presented regularly to the board. At Quest, he became the go-to advisor for leadership on all security, audit, business continuity, and GDPR matters. He holds CISM and CDPSE certifications and a degree in applied mathematics from the University of Colorado.
Curtis Letson — Vice President and Chief Information Security Officer, Vertafore
The numbers Curtis Letson puts forward are specific enough to be credible. Across his recent roles, he has reduced compliance findings by 75 percent, cut incident response times by 50 percent, reduced vulnerabilities by 40 percent, lowered material risk exposure by 25 percent, and delivered zero SOX findings in a regulated financial environment. At Vertafore, where he has served as VP and CISO since November 2024, he built an international security organization and stepped into an interim VP of technology operations role covering global IT, cloud operations, and DevOps while reducing the department budget by more than five million dollars. Before Vertafore, he led security at Xpansiv and Pulte Mortgage, and spent three years as senior director of IT operations and security at the SANS Institute. His background spans SaaS, financial services, healthcare, education, mining, real estate, and energy.
Matthew Sharp — Chief Information Security Officer, Xactly Corp
Matthew Sharp chairs both the AI Guidance and Governance Committee and the Information Security and Privacy Council at Xactly, a Vista Equity Partners portfolio company, reflecting how central AI governance has become to his security mandate. Over nineteen years he has led security organizations across public, private, and venture and private equity-backed software companies, and he serves as a venture advisor to YL Ventures, advising founders on go-to-market strategy and buyer alignment. He has served on advisory boards for Okta, F5, Veracode, Coalfire, Deepwatch, and others, and co-authored The CISO Evolution: Business Knowledge for Cybersecurity Executives. He has spoken at RSA, AWS Summit, Cloud Security Alliance, Snowflake Summit, and the FTC, among others. A Corporate Finalist at the 2024 ORBIE Awards, he is one of the more publicly visible security leaders in Colorado’s software community.
Emily Cellar — Chief Information Security Officer, Flexential
Emily Cellar stepped into her first CISO role at Flexential in January 2026, bringing a track record built across four VP-level IT and security positions that included M&A systems integrations, cloud migrations, IAM implementations, and Cloud Centers of Enablement across AWS, Azure, and Alibaba Cloud. At iFIT, she built the Global Cloud Center of Enablement, led security and infrastructure for the company’s flagship product launch in Shanghai, spearheaded Alibaba Cloud deployment in China to meet PIPL compliance requirements, and delivered over $1.2 million in cost savings in her first year. She also founded WITI, Women in Technical Infrastructure, in 2019, a community of more than 850 members supporting women in cybersecurity, networking, and systems roles. That combination of hands-on infrastructure depth and deliberate community-building is not a typical CISO profile.
Jeffrey Shank — Chief Information Security Officer, Xyleme
Jeffrey Shank has been with Xyleme for nearly seventeen years, moving from director of IT through deputy director, director of engineering infrastructure, and director of engineering before stepping into the CISO role in November 2021. That progression from IT director to CISO inside a single software company over a decade and a half gives him a depth of platform knowledge that is difficult to acquire any other way. His technical work includes leading Xyleme’s migration to a fully integrated AWS environment, reducing operational costs and improving scalability, alongside security practices aligned with OWASP and NIST SP 800-53. Three decades of IT leadership, most of it inside software environments, informs how he approaches security as an operational discipline rather than a compliance exercise.
Security Built Into the Product, Not Bolted On
The common thread across this group is that none of them are running security programs that sit apart from the business. They are embedded in product decisions, cloud architecture, AI governance, and customer trust conversations. In software, that is the only model that actually works. Customers evaluating a platform want to know that security was a design consideration, not an afterthought. The leaders in this feature are the ones making sure it is.
Explore more profiles of the leaders shaping cybersecurity across the software industry: