Banking, payments, insurance, oil and gas, and energy sit among the most heavily regulated sectors in the American economy, and the security leaders protecting organizations in those industries operate under a level of regulatory scrutiny that most enterprises never face. The CISOs in this feature are protecting trillions in financial assets, the payment infrastructure that underpins global commerce, the personal data of tens of millions of insurance customers, and the operational technology that keeps energy flowing across continents. Their programs reflect what security governance looks like when regulators, boards, and governments are all watching at the same time.
Kristopher Fador — Chief Information Security Officer, Bank of America
Kristopher Fador has spent more than sixteen years at Bank of America, progressing from senior manager of cyber security through business information security officer, cyber security defense executive, and deputy CISO before stepping into the CISO role in April 2023. He now leads a team of more than 3,000 security experts across 17 countries protecting the financial data of consumers, small and middle market businesses, and large corporations. Earlier in his Bank of America career he spent two years in Hong Kong as regional information security officer for Asia Pacific and led incident response, cyber forensics, third party assessments, and red team functions. Before Bank of America, he held senior consultant and manager roles at Protiviti and an intelligence analyst role at ABN AMRO Bank. He serves as chair of the board of directors of FS-ISAC, the financial services information sharing and analysis center, a management committee member of the Financial Services Sector Coordinating Council, and on the boards of Lake Forest College and the Center for Coastal Studies. That sixteen-year career built entirely inside one of the world’s largest banks, anchored by deep community and industry governance engagement, reflects a security leader whose institutional knowledge of financial services security is as deep as it gets.
Subra Kumaraswamy — Senior Vice President and Chief Information Security Officer, Visa
Subra Kumaraswamy has served as SVP and CISO at Visa since May 2022, leading security for the global payments network whose infrastructure underpins trillions of dollars in annual transaction volume. He spent more than ten years at Visa before stepping into the CISO role, building deep institutional knowledge of payment security as VP of product security engineering and security architecture. His earlier career spans director of application, cloud, and emerging technologies security at Intuit, director of security architecture at eBay, seven years as a security practitioner at Oracle and Sun Microsystems, and infrastructure engineering management at Lycos and IT architecture at Netscape during the foundational years of the commercial internet. He is also co-author of Cloud Security and Privacy, published in 2009, and co-founded Zingdata in 2000. That arc from early internet infrastructure engineering through payment security architecture to global payments CISO reflects a practitioner whose technical depth in the systems he now protects is genuinely unusual at the executive level.
Dan Antilley — Chief Information Security Officer, MetLife
Before coaching high school basketball in Texas, Dan Antilley spent three years transforming a struggling program into a playoff team, a chapter that preceded a career pivot into technology that eventually led him to one of the largest insurance companies in the world. He joined MetLife as CISO in August 2024, bringing a background built across more than sixteen years at Bank of America in global cyber security operations, followed by more than four years as CISO at Cardtronics, two years as CSO at NCR Corporation, and a brief stint as global security and cash operations officer at NCR Atleos following its spinoff. At Bank of America, his responsibilities spanned cyber forensics and incident response, insider threat, merger and acquisition security work across two large mergers, perimeter monitoring, remote access engineering and operations, and program management across all information security verticals. That progression from network security roots through one of the most operationally complex security programs in banking to insurance CISO reflects a career shaped by operational depth and institutional breadth in equal measure.
Jon Raper — Chief Information Security Officer, Chevron
Before his security career in the private sector, Jon Raper spent nearly four years as a special agent with the US Secret Service, an experience that shaped how he approaches threat intelligence, investigation, and the intersection of physical and digital security. He joined Walmart as senior manager of data assurance and cyber intelligence, then led security incident response for 10,000 global retail stores before moving to Oracle as director and senior director of global information security, building the security operations center for lines of business and overseeing detection, threat intelligence, vulnerability management, and digital forensics. He then served as CISO at Costco for three years, protecting a $158 billion global enterprise with more than 800 retail facilities across 19 countries, before stepping into the CISO role at Chevron in July 2025. That career arc from Secret Service through global retail and technology security to one of the world’s largest integrated energy companies reflects a security leader whose experience spans the full range of what operational security demands at enterprise scale.
Shazad Shafi — OT Chief Information Security Officer, ExxonMobil
Shazad Shafi arrived at the OT CISO role at ExxonMobil in December 2023 through a career spent almost entirely inside the company’s engineering and operations functions. He began as a control systems engineer at Exxon Research and Engineering in 1997 and spent the following two decades in control systems supervision, group head leadership, instrumentation and automation project management, pipeline operations management across the US central south and northwest regions, and engineering services management across Asia Pacific, before stepping into the OT CISO seat. That path from process control engineer to operational technology security executive is not a conventional one, and it gives him something that externally recruited security leaders cannot bring: a direct, hands-on understanding of how ExxonMobil’s refineries, chemical plants, pipelines, and manufacturing facilities actually operate. Securing operational technology in the oil and gas industry requires exactly that kind of engineering fluency, and his career reflects an organization that recognized it.
Regulated Industries Demand a Different Kind of Security Leadership
Banking regulators, payment network standards bodies, insurance commissioners, pipeline security directives, and energy sector oversight bodies all create a compliance environment that shapes how security programs are built and governed in these industries. The leaders in this feature do not simply manage technical security programs. They manage regulatory relationships, board reporting obligations, cross-sector information sharing responsibilities, and the public accountability that comes with protecting infrastructure that entire economies depend on. That weight is what distinguishes security leadership in the most regulated industries from security leadership everywhere else.
Discover the CISOs in the various highly regulated industries:
