Oil and energy security sits in a hard place: physical infrastructure, digital systems, operational uptime, regulatory pressure, and business continuity all meet at once. The leaders in this group work inside environments where cybersecurity cannot sit apart from the way the company runs. Their backgrounds move through cloud infrastructure, SCADA, incident response, compliance, vulnerability management, board reporting, and global operations.
Ameen Jwarneh – Deputy Chief Information Security Officer, Halliburton
Ameen Jwarneh stepped into the Deputy CISO role at Halliburton in March 2026 after nearly two decades with the company, with earlier leadership roles tied to global IT finance, PMO, M&A, infrastructure, cloud, data centers, and regional network operations. He has led IT infrastructure strategy in more than 80 countries, managed global data center infrastructure, and overseen cloud operations, security compliance, automation, and digital transformation for Halliburton’s iEnergy public cloud environment on Azure and AWS. Before moving into global infrastructure leadership, Jwarneh led Eastern Hemisphere network operations in more than 60 countries covering the Middle East, Africa, Asia-Pacific, Europe, and Eurasia. His security leadership is grounded in years of managing availability, architecture, budgets, service providers, cloud operations, and infrastructure teams in regions where energy technology has to work reliably at scale.
Carl Stolfi – Chief Information Security Officer, Global Partners LP
Before becoming CISO and SVP at Global Partners LP in 2019, Carl Stolfi had already spent years shaping the company’s information security, compliance, networking, and IT risk management functions. His current role includes strategic leadership for cyber security, IT compliance, IT risk management, and cyber resiliency, with responsibility for aligning security efforts to the NIST Cyber Security Framework and CIS Critical Controls. He also oversees vendor risk management, incident response, board-level cyber-risk reporting, and recommendations to the CIO on security controls for on-premise, cloud, and hosted environments. Earlier at Global, Stolfi helped develop programs for cloud risk management, vulnerability management, data governance, incident response, endpoint security, cloud access security, and IT disaster recovery. His profile also carries a deep infrastructure thread: before the executive security role, he led major LAN/WAN redesign work involving MPLS, private lines, VLANs, secure wireless, VPN edge networking, routing, QoS, and VoIP convergence.
Dan Glass – Chief Information Security Officer, Delek US Holdings
Dan Glass joined Delek US Holdings in 2026 after serving as CISO at NTT DATA North America, where he led global security transformation for more than 140,000 employees and more than 300 operating companies. His NTT DATA work included eliminating legacy VPN infrastructure through enterprise Zero Trust, securing more than 50,000 identities, establishing an AI governance framework, leading security due diligence for more than $500 million in acquisitions, and achieving clean audits tied to NIST, ISO, SOC 2, GDPR, PCI, and HIPAA compliance. His earlier CISO tenure at American Airlines adds another operational layer. There, Glass built and led security through the $40 billion merger that created the world’s largest carrier, established an IoT and avionics security program, co-founded Aviation-ISAC, and worked with DHS, FBI, and NSA on nation-state threats. At Delek US Holdings and Delek Logistics Partners, that experience now sits inside the energy sector.
Michael Wilson – Chief Information Security Officer, Tallgrass
At Tallgrass, Michael Wilson leads IT and OT cyber security, briefs executives and Blackstone, presents to the Tallgrass Board, and has built the company’s cyber security program from scratch. He became CISO in August 2023 after serving as VP Cyber Security, bringing more than 25 years of IT, OT, cyber security, management, and compliance experience. His earlier roles give the Tallgrass position a strong critical infrastructure base. At CPS Energy, Wilson worked on NERC CIP compliance, security administration of sensitive SCADA systems, SIEM devices for incident response and compliance, and patching and lockdown of critical cyber assets. At Austin Energy, he led endpoint security strategy and training for roughly 1,500 workstations, 500 servers, and 2,000 users, served as the sole digital forensics expert for investigations involving HR or law enforcement, and founded the Cyber Security Incident Response Team for corporate and critical cyber asset incidents. His Air Force background as a digital network analyst and intelligence analyst adds another layer to a career built around risk, response, and operational systems.
Kurt Haberstroh – Chief Information Security Officer, Williams
Kurt Haberstroh became CISO at Williams in November 2025 after more than 12 years at Phillips 66, where his roles moved through operational technology, SCADA, security operations, identity, staffing, and cyber security architecture. As Director of Operational Technology and Measurement at Phillips 66 Midstream, he was accountable for OT Cyber Security, SCADA, Field Automation, Terminal Automation, and Product Measurement. Earlier, at ConocoPhillips, he worked in Global Information Security Vulnerability Management, monitoring security vulnerabilities, tracking their status, and responding to information security incidents. Haberstroh’s background also includes large capital and expense budgets, strict SLAs, resource management systems, annual budget cycles, and internal service-level reporting. That mix matters in energy, where security has to align with automation, measurement, operations, and 24/7 coverage.
Francis Finley – Chief Information Security Officer, Colonial Pipeline Company
Francis Finley became CISO at Colonial Pipeline Company in September 2025 after more than three years with the company as Senior Director of Security Operations. Before Colonial, he served as VP of Cyber Threat Detection, Response, and Vulnerability Management at Equifax, Senior Director of Cyber Threat at Concentrix, Vice President of Cyber Threat at Equifax, and Senior Director of the Cyber Threat Center at Equifax. His earlier career also includes work as a Senior Cyber Security Analyst at CERT and more than seven years as an Information System Security Officer at the U.S. Department of Homeland Security. Finley’s profile is one of the more threat-focused paths in this group, with sustained work in detection, response, vulnerability management, security operations, and public-sector security before taking on the CISO role at a major pipeline company.
Connie Devine – Chief Information Security Officer, Phillips 66
Connie Devine became CISO at Phillips 66 in June 2026 after serving as Deputy CISO from April 2025, a short transition that followed a much longer career in energy technology and security. She previously served as VP of IT Security and Audit at Excelerate Energy and spent 27 years at ExxonMobil as Senior Manager Information Technology Security. Her background covers security management, governance, risk, compliance, penetration testing, global regulatory compliance, information governance, and standards such as NIST 800-53, ISO 27001, SOX, HIPAA, PCI, and GDPR. The source material also points to board and senior management communication, protection of critical infrastructure and sensitive data, and cybersecurity leadership within the oil and gas sector. Devine’s profile is built around long-term energy experience, audit discipline, and security governance rather than a short climb into the CISO seat.
Energy Security Is an Operations Story
The common thread in this group is not one technology or one career path. It is the discipline of protecting organizations where cyber risk sits close to infrastructure, field operations, cloud environments, compliance, budgets, and executive accountability. These leaders came through SCADA, aviation security, federal security, consulting, network engineering, vulnerability management, audit, cloud infrastructure, and program governance. Together, they show why oil and energy security cannot be treated as a detached corporate function. In this sector, security leadership has to understand how the business runs.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.