CISO Leadership in Action: Lessons from Tristar's Cybersecurity Playbook

At a recent CISO Meet Up, Mike Villegas, CISO of Tristar Insurance Group, delivered a masterclass in leadership, resilience, and collaboration—highlighting how cybersecurity is truly a team sport. His 40-year career journey, spanning internal audit, risk management, and hands-on security leadership, reflects the evolution of the modern CISO role and the organizational mindset needed to support it.

CISO Leadership

From Resistance to Alignment: Building a Culture of Security

When Mike joined Tristar, cybersecurity wasn’t exactly at the top of everyone's priority list. “There was resistance at the start,” he admitted. But with steady leadership and a shared vision, that changed. Thanks to a CEO with an audit background and a strong tone at the top, security became a regular topic—not a quarterly checkbox.

Today, Tristar’s security committee includes not just IT leaders, but also the CEO, CFO, HR, privacy officers, and operational VPs. These bi-weekly meetings focus on real issues: compliance, vendor risk, disaster recovery, and privacy. Even better, they foster CISO networking within the company itself, aligning departments through shared understanding and decision-making.

Embedding Security and CISO Leadership Across the Business

Mike emphasized that security can’t succeed in isolation. It must be embedded in the development lifecycle, change control, and infrastructure processes. At Tristar, his security group reports directly to the CEO, giving it independence to assess risk and voice concerns without being filtered through IT.

Meanwhile, a separate sec ops team, reporting to the CIO, focuses on implementation. “I drive the charter and direction,” Mike explained, “and they drive the deployment. It took time, but now there’s synergy.”

Translating Cyber Language into Business Impact

One of Mike’s standout strengths is communicating complex cybersecurity concepts in ways executives can understand. Over time, his team has become familiar with principles like least privilege, defense-in-depth, and CVSS vulnerability scores.

More importantly, they now understand why those things matter.

Mike offers business leaders digestible knowledge in every meeting—just enough for them to ask the right questions and understand the risk landscape. “If you can make the leadership team conversant, that’s where the transformation happens,” he said.

AI and Privacy: Real-World Implementation

Tristar is embracing AI—not to replace decision-making, but to assist it. The company is building a new AI system that aggregates data for claims processors, making workflows more efficient while keeping human judgment at the center. “AI is a productivity tool, not a decision-maker,” Mike clarified.

On the privacy front, Tristar is navigating U.S. state-level privacy laws like CCPA and CPRA. With clients in all 50 states, they’ve committed to U.S.-only data processing and use two colocation data centers in Irvine, CA, and Plano, TX, instead of relying on cloud providers for production systems. It’s a practical, risk-based approach that aligns with Tristar’s legacy infrastructure and privacy obligations.

Managing Vulnerabilities with Precisio

Another challenge Mike addressed was vulnerability management at scale. With constant internal and external scans, penetration tests, and alerts from their MSSP, Tristar had to develop a system for prioritizing fixes. Rather than reacting to high CVSS scores alone, they assess business criticality, application context, and remediation complexity.

It’s about more than fixing—it’s about fixing what matters most, first.

Why This Matters for CISO Networking

Mike’s insights offer a real-world example of what modern security CISO Leadership looks like. At CISO Meet Ups, conversations like this help CISOs go beyond tools and tactics—they’re about influence, collaboration, and leading through change.

If you’re a CISO looking to elevate your impact, attending a CISO Meet isn’t just a networking opportunity. It’s a chance to learn how others are building security-first cultures that last.

Want to build stronger executive alignment and get real traction on your security strategy? Join the next CISO Meet Up and hear from leaders like Mike who are doing it right.