Security magazine talks with Leilani Farol, SVP and CISO at First Horizon Bank about how financial institutions can manage the threats associated with an evolving cyber landscape. 

Security magazine: Tell us about your career and background. 

Farol: My career has spanned cybersecurity, risk management and technology leadership, primarily working within financial services companies and other regulated organizations both within the United States and internationally. In my role as SVP and Chief Information Security Officer at First Horizon, I am focused on developing and overseeing the bank’s information, cyber and technology security. 

Over the course of my 25+ year career, I’ve seen cybersecurity evolve from a more technical function to a core business priority. CEOs, boards and shareholders understand that security can’t be an afterthought. The most cyber-resilient organizations today aren’t operating in silos. They’re strengthening resilience as part of their daily business operations, and that’s exactly what my team and I are focused on at First Horizon.  

Security: What are your thoughts on the evolving threat landscape? How can financial institutions strategically manage these risks? 

Farol: The threat landscape is accelerating faster than ever before, fueled by AI-powered threats and growing regulatory pressures. While AI is creating powerful opportunities to strengthen cyber defenses, threat actors are also leveraging AI to enhance and scale their attacks.

The financial services industry is seeing more frequent and sophisticated phishing and business email compromise attempts. Identity theft, ransomware, Distributed Denial-of-Service (DDoS) attacks and third-party risk are also top of mind. The good news is that, as a long-standing leader in cyber collaboration, governance and risk management, the financial sector is well positioned to stay ahead of this evolving threat landscape.

As a financial institution and partner, we don’t just manage capital, we manage trust. Clients trust us to protect their data and safeguard their accounts. Maintaining that trust requires not only strong technology, but also transparency, collaboration and the right culture.

At my organization, we are focused on delivering the highest level of security possible by building a first-class cyber team, maintaining open lines of communication between cybersecurity leadership and the board and prioritizing the education of associates and clients on cyber hygiene best practices.

Security: What do security leaders need to understand about the intersection between cyber, risk, governance and compliance? 

Farol: CISOs cannot operate in a silo. Over the course of my career, I’ve seen the industry evolve from Information Security to Cyber Security — a connected and critical business risk function that’s on the minds of CEOs, boards and shareholders. By bringing together cyber, risk governance and compliance, organizations can create a stronger, more coordinated function. It’s not just about setting and enforcing rules; it’s about aligning these risk intelligence functions with business strategy. 

The most effective CISOs view themselves as risk advisors, responsible for translating cyber risks into business impact to build sustainable, long-term resilience against an ever-changing threat landscape.  

Security: When implementing new technologies, how can security leaders ensure their organization maintains a security-first mindset? 

Farol: Never trust, always verify. Commit to a zero-trust strategy across the vendor lifecycle and treat everything as a possible threat until proven otherwise. Operating within a zero-trust architecture requires continuous monitoring and verification of everything across your network. By assuming bad actors could already be present, companies can identify issues more quickly and minimize damage. 

More broadly, security leaders need to build a culture of cybersecurity where it’s viewed as a shared responsibility across the organization. This starts with educating and empowering all associates and clients. Prioritize training on how to spot suspicious activity and encourage them to report it. Due to the speed that AI advancements are developing, the number one priority remains data protection to ensure the right protocols are in place to reduce the threat landscape.

Security: Is there anything else you’d like to add? 

Farol: Cyber resilience is a team sport. Today’s threat landscape is dynamic, and organizations are at a disadvantage if they think about cybersecurity in isolation. It requires not only collaboration across the organization, but across the financial services industry. Staying ahead of bad actors is only possible with a collective defense. In the current environment threats aren’t an “if,” they’re a “when;” the key to remaining resilient is how quickly a company recovers.