Software companies live or die by trust. Customers hand over financial data, trading positions, payroll records, and business-critical information to platforms they never see the inside of, and every layer of that stack, from the database to the SaaS interface, has to hold up under scrutiny. The CISOs in this feature are protecting fintech platforms, energy trading software, database technology, accounting and payroll SaaS, insurance broking systems, and language technology, and their programmes reflect the discipline required to secure products that other businesses build their own operations on top of.
Simon Tomkin – CISO, Enfusion
Simon Tomkin has served as CISO at Enfusion since November 2024, bringing more than twenty years of information and cyber security experience in the global fintech SaaS space. Before Enfusion, he spent a year and a half as CISO and head of operational risk at Qontigo, and more than three years as CISO at Hazeltree. Before that, he spent nearly four years as director of information security and infrastructure at ENSO Financial Analytics.
His broader career spans major technology and financial services groups including FIS, CME Group, and Deutsche Borse Group, giving him extensive experience integrating and de-integrating security and risk strategies through mergers and de-mergers. He also spent nearly five years as VP of technology at Novantas in New York. That depth across fintech platforms serving major financial institutions, banks, and hedge funds now underpins his approach to securing Enfusion’s investment management software.
Vishwajeet Sharma (Former) – CISO, CubeLogic
Vishwajeet Sharma served as CISO at CubeLogic from December 2024 until June 2026, leading global security programmes for an energy, commodity, and financial risk analysis software provider. Before his CISO title, he held the combined role of global head of technology and security operations, CISO, and DPO at CubeLogic for more than five years, and before that head of global DevOps at the same company, giving him nearly nine years of continuous tenure across technology and security leadership there.
His earlier career includes more than two years as team lead of the network operations centre at OpenLink Financial in Bangalore, and sixteen years in the Indian Air Force, where he served as enterprise solution architect managing data centres, disaster recovery, and security operations across multiple Air Force establishments. That military infrastructure foundation, carried into nearly a decade of security leadership at a single energy and commodity trading software company, reflects a career built on the operational discipline of mission-critical systems.
Andres Mendez – CISO, Event Store
Andres Mendez has served as CISO at Event Store, an open source stream database company, since January 2021, achieving the company’s ISO 27001, SOC 2, and GDPR compliance and certifications in his first year. His path to that role is one of the more distinctive in this feature. At age 19, he began writing a “Hacking Course” for a Spanish technology magazine that lasted twelve years and produced three books on hacking and three on Linux. At 22, he co-founded his own information security company, Redys, and went on to work for Spain’s National Cryptological Centre, authoring national security guidelines and improving the PILAR risk assessment tool used by the Spanish government, NATO, and other countries.
Before Event Store, he spent four years as head of penetration and vulnerability testing services at GLI UK Gaming, building the first gambling lab to obtain PCI ASV certification, and ten months as a cyber security manager at EY in Dublin leading penetration testing engagements for banking and financial services clients across Europe. Earlier, he spent nearly seven years at Ingenia as information security services senior manager and virtual CISO, including seven years as virtual CISO for a bank, and created his own IT governance, risk, and compliance tool, e-PULPO. More than 22 years in cybersecurity, ten of them in dedicated penetration testing, gives him a genuinely offensive security foundation that now shapes how he protects Event Store’s database technology through blue team defence.
Richard Grey – CISO, Bright
Richard Grey has served as CISO at Bright, a payroll, accounting, and tax software provider serving SMEs across the UK and Ireland, since September 2022. Before Bright, he spent five years at FreeAgent, the cloud-based accounting platform acquired by NatWest, rising from head of information security to director of information security. Before FreeAgent, he spent more than three years as CISO and CTO at Curo, and nearly nine years as head of infrastructure and security at Vebnet, part of the Standard Life Group, managing IT infrastructure and security for a flexible benefits scheme serving more than 250 clients and 500,000 employee users globally.
His earlier career includes build manager and infrastructure and development manager roles, and more than twenty five years across the software industry overall. He has held CISSP certification since 2011. That progression through SaaS companies providing accounting, compensation management, and employee benefits, several of them subsequently acquired by larger players, reflects a career built on scaling security programmes through periods of significant corporate change.
Manshah Yousaf – CISO, CDL Software
Manshah Yousaf has served as CISO at CDL Software, an insurance broking software provider, since May 2022, bringing a background that combines cyber security expertise with risk and governance experience specifically within financial services. Before CDL, he spent three years as head of information security at wejo, and six months as group IT manager and head of security and compliance at Luxfer, where he reduced IT costs by $1 million while completing a GDPR project ahead of schedule and implementing an anti-phishing programme that cut incidents from dozens per month to single digits.
Before Luxfer, he spent nearly two years as senior information security and risk consultant at NBrown, and nine months as an information security specialist consultant at the BBC, where he built a threat landscape portfolio in response to sustained attacks on the corporation. He began his security career at Barclays as a cyber security and risk consultant, advising on product security across one of the world’s largest banks. That progression through retail, manufacturing, media, and banking security roles before settling into insurance software CISO leadership gives him a broad regulatory and sector foundation.
Michelle Tolmay – CISO, RWS Group
Michelle Tolmay has served as CISO at RWS Group, a language and localisation technology company, since March 2026, having spent the preceding eleven months as CISO at Tracsis PLC. Before Tracsis, she spent more than three years at Kaluza across CISO, director of tech operations, and head of infosec and tech services roles, and more than two years as director of information security at Photobox.
Her earlier career spans global senior manager of information security at CloudFactory, information security compliance officer at BookingBug, information security assurance manager at Hitachi Capital, and more than four years as a security officer at ASOS.com, having started her security career as a security consultant at Integralis. She describes falling into cybersecurity through a passion for taking things apart to understand how they work, moving from penetration testing into consulting and auditing because she wanted more interaction with people. She has spoken publicly about being a woman in cybersecurity, encouraging others to network, ask questions, and not be intimidated by underrepresentation in the field. That breadth across ecommerce, financial services, outsourcing, and now consecutive CISO roles at Tracsis and RWS Group reflects a security leader who views her function as an enabler of business offerings rather than a blocker of progress.
Every Platform Is Someone Else’s Infrastructure
The companies in this feature build the software that other businesses depend on to trade, process payroll, manage risk, translate content, and store data. When a customer trusts a SaaS platform, they are trusting the security programme behind it just as much as the product itself. The leaders in this feature understand that their security posture is not a backend concern. It is part of what they are selling, and their programmes reflect the discipline required to earn and keep that trust.
Discover more of the UK’s cybersecurity leaders:
- Beauty and the Breach: CISOs to Watch in Beauty, Health, and Wellness
- Behind Every Address: Cybersecurity Leaders in Property and Real Estate
- Behind the Campaign: CISOs to Watch in Advertising, Media, and Loyalty
- Foundations of Trust: CISOs to Watch in UK Construction and Engineering
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.

