Intaso logo
Contact Us

An Interview with
Adrian Salas

Secure Innovation and Agile Risk Management

Matt Gordon

About the Interviewer: 

Matt Gordon

Matt is a Chicago-based cybersecurity headhunter, focusing exclusively on partnering with CISOs to help them land their next role and build their security functions. A Principal Consultant at Intaso, the team brings over 30 years of combined experience connecting technical security talent with innovative companies resulting in more than 100 successful CISO placements.

Intaso’s success is built on a genuine passion for the cybersecurity industry, a commitment to quality, and a tailored, personal approach that delivers results for businesses of all sizes.

Connect with me
About the Interviewee:

Adrian Salas

Adrian Salas is an Executive Cybersecurity Leader with over 20 years of experience driving security transformation across global enterprises.

He has served as Chief Information Security Officer multiple times, leading teams of more than 200 professionals and managing budgets exceeding $50 million. Known for building high-performing cybersecurity programs in months—not years—Adrian is well-versed in digital transformation, M&A due diligence, and global team development.

His passion is clear: mitigating risk, enhancing efficiency, and turning security into a catalyst for business growth.

Connect with me

Where in the product lifecycle have you seen security slow teams down the most, and what did you change to flip security into an accelerator?

Security typically slows teams during late-stage testing or pre-release reviews, when vulnerabilities surface after development.

Fixing issues at that point means rework, delays, and tension.

What I changed:

  • Shift Left: Embedded security checks directly into CI/CD pipelines so issues are caught during coding.
  • Security Champions: Trained developers in each squad to own security decisions early
  • Automated Testing: Integrated SAST and DAST tools into build processes for continuous scanning.


This reduced last-minute surprises, cut remediation time by 40%, and improved release predictability.

If you had to design a modern DevSecOps program from zero, what are the first three controls you'd embed and why those over everything else?

The first three controls I’d embed are:

  1. Automated Code Scanning (SAST): Detects vulnerabilities at commit time, preventing insecure code from entering the pipeline.
  2. Secrets Management: Eliminates hard-coded credentials and API keys, which are common vectors for breaches.
  3. Container Image Scanning: Ensures dependencies and base images are free of known CVEs before deployment.

Why these? They tackle the highest-risk areas early-code, credentials, and dependencies-while scaling across agile teams without slowing velocity.

What's one example where shipping faster increased your risk - and another where security automation actually increased shipping speed?

Risk Example

A rushed release skipped dependency checks, introducing a vulnerable library that later required an emergency patch.

 

Win Example

Automated container scanning in CI/CD flagged issues instantly, allowing developers to fix before deployment, with no delays, and confidence to ship faster.

How do you decide which security decisions developers should make themselves versus the ones that get centralized or automated?

Developers handle what’s close to their code; the security team governs systemic controls. This is a true principle.

  • Developers Own: Low-risk, repeatable decisions like input validation or using approved libraries.
  • Centralized: High-impact areas like encryption standards, identity management, and regulatory compliance.
  • Automated: Vulnerability scanning, secrets rotation, and policy enforcement in pipelines.

How has AI changed your product threat model in practice, not in theory?

Let’s be honest, AI introduced new attack surfaces:

  • Model Poisoning: Training data integrity became critical.
  • Prompt Injection: For generative AI features, user input can manipulate outputs.
  • Data Privacy: AI models can inadvertently memorize sensitive data.

What broke: Traditional static scanning missed AI-specific risks.

What surprised me: The speed at which adversarial AI attacks evolved.

Lesson learned: Never roll out AI features without a dedicated AI security review-even a lightweight vetting process is better than none

When product leaders push for speed, what language or metrics actually get them to care about security early, not later?

Language

“Security accelerates delivery” –  show how early fixes prevent costly rework.

Metrics:

  • Mean Time to Remediate (MTTR) for late-stage issues vs. early-stage fixes.
  • Cost of delay from security bugs vs. automated prevention.
  • Compliance readiness as a market enabler.

Example: “Embedding security in CI/CD reduced release delays by 30% and avoided $500K in potential breach costs.”

Final Thoughts

Security isn’t just about defense anymore, it’s about enabling speed, trust, and growth. When we embed security early, automate intelligently, and align with business goals, we turn what used to be a bottleneck into a competitive advantage.

The companies that win in this market will be those that innovate securely, not those that choose between speed and safety.

As CISOs, our role is to make security invisible when it needs to be, and impactful when it matters most.

Our offices: