Ishpreet Singh is the only person who more closely resembles a” Mover and Shaker” than anyone else Tech Monitor has interviewed for this section. Singh’s CV, which is essentially a list of stints at the most cutting-edge shops in security, includes positions at Splunk, Imperva, and Qualys, as well as a valued seat on CNBC’s renowned Executive Tech Council. The security former, who was recently appointed the CIO of Black Duck, is eager to make his mark over at the relaunched and revitalized business, which is now completely independent of its former owner, Synopsys.  ,
As an independent business, Singh reported to Tech Monitor,” There are so many opportunities for us to address upcoming security problems.” For instance,” the security challenges in software-born vulnerabilities are only getting worse.” These challenges also relate to the widespread deployment of AI. In the following dialogue, Singh explains his goals for Black Duck as the brand-new children on the block and the dangers that another security CIOs would be wise to avoid. It was edited for length and quality.
You’ve held important jobs at Imperva, Splunk, and Qualys. What made you decide to add Black Duck?
Ishpreet Singh: I wanted to work for an award-winning group with a distinct goal: to secure the application of the client without putting their developers at risk. And as a CIO, I have access to a lot of tools and teams that I can use to help us reach that goal, starting with our detailed risk management solutions, as well as our customer consulting program, and AI-powered security solutions. In our Innovation Lab and Cybersecurity Research Centre, a small army of scientists and engineers support the team developing those products. They are constantly looking for new opportunities, such as creating socially appropriate SBOMs [software bills of materials] for compiled languages like C/C++, where the SBOM may vary depending on the target’s CPU architecture. In essence, their excellent job positions me to contribute to Black Duck’s reputation as a security force.
What are your top priorities as a CIO?  ,
My top priority should always be to improve Black Duck’s safety pose, both to better protect both the business and its customers. That means ensuring compliance with important laws, such as ISO 27001 and SOC 2, and improving zero-trust infrastructure to safeguard delicate customer information. I’m also committed to upholding the company’s strong cyber-resilience plan, ensuring a quick response to any unexpected events, and putting in place disaster recovery plans.
In general, I’m constantly trying to scale Black Duck’s IT infrastructure, putting AI-driven technology into our internal systems to improve the company’s operational efficiency wherever possible. That also means updating our systems to be more accurate and lean for our sales, marketing, and G&, A functions, and working with government and regulatory bodies regularly to ensure that our safety compliance solutions stay on top of the latest trends and requirements.  ,  ,
How have your past experience at Qualys, Imperva, and Splunk shaped these objectives?  ,
My expertise in business safety, cloud change, AI adoption, and functional scale-up helps me bridge the gaps between company strategy, cybersecurity resilience, and technology innovation. My experience will help Black Duck become a supplier of AI-powered company solutions as open-source risks, security, and DevSecOps maturity become enterprise priorities.
My work at those companies has taught me to constantly think about my CIO objectives in a holistic way. Security should be seen as a basic business plan for a security company as opposed to just a compliance requirement. Beginning with the original customer wedding, it is crucial to prioritize protection as a development opportunity and enabling functionality.
I’m fortunate that the CISO works straight for me, but I’d advise my peers to make the best effort to learn as much as they can about their company’s cybersecurity posture because, after all, you may only secure what you know. From there, that position may be improved across the board, with the entire objective being progressively distributed through your teams to develop the kinds of capabilities that will enable you to face any challenge. Many businesses try to solve the issue by addressing their primary compliance requirements first, but when you start with that goal in mind, you’ll end up completing all those regulatory requirements immediately.
And how do you use AI both internally and externally?
AI is integrated into our services to utilize cutting-edge technologies, the better way to keep our competitive advantage. Without AI, I’ve found that AppSec slows down and is ineffective, causing more threats, putting off changes, and overburdening surveillance teams.
AI has proven to be very helpful to us in many ways. For instance, our AI-enabled application security assistant tool analyzes application code socially to reduce false positives, helping to understand genuine execution behavior rather than just pattern matching. Our software models rank vulnerabilities based on exploitability, company effect, and risk severity, ensuring teams prioritize critical threats. This is done by machine learning-based prioritization. Meanwhile, our Software Composition Analysis (SCA ),  , generates and updates SBOMs, providing real-time visibility into open-source risks and snippet analysis for AI-generated code.
We have been eager to adopt innovative breakthroughs in AI and, more particularly, LLMs as and when they become available. We make it our top priority to do so properly, making sure controls are in area. Also, we want to offer our customers the option of receiving an LLM or allowing them to receive an LLM when an engagement involves source code, as part of our blueprint with clients.
Technology and speed are greatly improved by AI. Nevertheless, with new technological advancements come fresh risks that are added to the risk environment. For me, ensuring that there are mechanisms and controls in place to benefit from new technology with security as a component of your technique, is very important.
What do you think security businesses are facing most frequently? And how will you prepare Black Duck to handle those difficulties?
There are numerous. AI has a significant effect, not least because it has the ability to quickly alter advancement workflows and all the security and IP risks that comes with it. Another aspect of the changing danger panorama of the software supply chain keeps me awake at night is the changing risk landscape. As officials demand ever greater accountability in IT supply chains, that is only going to make things more complicated for our clients.
Another emerging issue is the increasing difficulty of application security. After all, the field of application safety testing is more built-in and automated in development processes than ever before. Ultimately, this can be a good thing because it helps teams better identify and fix security flaws in their software earlier, reducing the chance that they will incorporate them into the final product so they can directly affect customers. However, as the work to secure that applications has increased as it has become more challenging, as has the complexity of the process. Companies are constantly looking for ways to cut down on the “noise” that surveillance testing causes so that they can concentrate on the issues that pose the greatest threat to their business, users, and customers.
Then there is the regulatory environment, particularly in relation to software supply chains. Agency, vendor, and supplier expectations were put on notice by the Biden administration’s executive orders regarding security because they needed to be more visible and held accountable for application security practices. Similar changes to security practices in any business that sells goods in the EU will be influenced by the EU Cyber Resilience Act ( CRA ). Organizations are constantly attempting to comprehend and react to these activities in real time, and they turn to suppliers like us for assistance and complete compliance solutions.
