Don’t show up smart, show up curious: Leadership lessons from a sector-hopping CISO

Daniel Bowden (CISO at Marsh McLennan) has led cybersecurity across some of the world’s most risk-sensitive industries. Known for his pro-active approach to cybersecurity training, we asked him to reflect on how he navigates regulatory landscapes; builds cross-functional trust; and creates real-world learning opportunities for the next generation of cyber talent. 

Here’s what he told us. 

You transitioned from cybersecurity leadership in the healthcare sector to the insurance sector. How did you approach not just the change of sector, but the change in regulatory and operational risk profiles? 

“Healthcare and insurance are both highly regulated, risk-sensitive environments, but their risk profiles and attack surfaces differ significantly. 

In healthcare, patient safety and privacy are critical, making cybersecurity tightly linked to clinical operations – where a breach can have life-or-death consequences. 

“Conversely, the insurance sector involves managing complex regulatory requirements, vast amounts of sensitive financial data, and high expectations around business continuity and resilience. 

“When transitioning between sectors, I approached it with humility – listening, understanding the specific risk language, and tailoring threat models to the regulatory landscape. My strategy anchored security to business outcomes rather than rigid frameworks, viewing compliance as a baseline. I prioritised operational resilience, data governance, and real-time risk intelligence. Because effective cybersecurity must adapt to each sector’s unique challenges.” 

Could you share a lesson you learnt about how to make moving sectors as smooth as possible, as a CISO? 

“Relationships are your force multiplier. When you move sectors, your technical skillset won’t save you – contextual awareness and political acumen will. So the lesson is…don’t show up thinking you're the smartest person in the room. Show up curious. Listen more than you speak, and build credibility with the business first. 

“Also, don’t underestimate the cultural shift. Every industry has its tempo, jargon, and unwritten rules. Understand those quickly, or you’ll get stuck solving the wrong problems. 

“And finally, bring a framework for decision-making, not a rigid program. Adaptability beats orthodoxy every time.” 

Could you share your perspective on internships and student learning programmes, and how it has changed over time?

“My perspective on internships and student programs has only strengthened over time. I believe meaningful, impactful work is essential for developing the next generation of cybersecurity professionals. Students need hands-on experience with real threats and challenges, not just shadowing or menial tasks, to build skills, confidence, and passion. 

“At Marsh McLennan, we foster an inclusive environment that promotes learning, mentorship, and career growth through initiatives like the ‘Tech Gig’ program – a diverse, global collaboration of 20-25 security professionals and 35 colleagues from across our technology and business units. It encourages rich interactions, problem-solving, and knowledge sharing, demonstrating how meaningful engagement accelerates growth and innovation. 

“Empowering students and professionals with real work enhances their development, but it also strengthens our collective cybersecurity resilience, so we can stay adaptive and prepared in a rapidly evolving threat landscape.” 

How has your perspective on security evolved over the course of your career? 

“Early in my career, I thought cybersecurity was about locking things down. Control everything, restrict everything, prevent everything. Classic ‘castle-and-moat’ mindset. 

“Now, I see security as an enabler of trust and resilience, not just a blocker of bad things. The real mission is risk-informed decision support that enables the business to operate confidently in a world of uncertainty. 

“I’ve also learned that you can’t firewall your way out of systemic risk. You need visibility, intelligence, and adaptability. Security must be dynamic – aligned to business priorities and scalable across complex ecosystems.” 

And finally, if you could go back to the beginning of your career and tell yourself one thing you wish you'd know then...what would it be? 

“I’d say: “Learn the business, not just the tech.” Knowing how to configure firewalls, detect intrusions, or write a killer incident report is valuable. But understanding how your business makes money, serves customers, and navigates risk – that’s priceless. “I’d also remind myself that cybersecurity is a team sport. You’ll need alliances in legal, compliance, finance, operations. Win hearts and minds early, or you’ll be stuck fighting alone. “And one more thing: never waste a crisis. When things go sideways (and they will), that’s your moment to lead.” 

Thanks to Daniel Bowden at Marsh McLennan. Get your pass to attend Black Hat MEA 2025 and learn directly from the leading minds in cybersecurity.