Cybersecurity is no longer just about protecting data; it’s about enabling decisions, shaping culture, and building trust at scale. And that’s exactly where Mary Kate Rush is making her mark.
With a rare blend of literary thinking and operational precision, she turns risk from a static report into a living, breathing strategy. As Assistant VP of Cyber Risk & Risk Solutions at Core Specialty Insurance, she is reimagining governance and compliance not as barriers, but as building blocks of innovation.
Her storytelling background allows her to decode complexity, while her entrepreneurial mindset pushes governance to evolve alongside innovation. From embedding AI into audit systems to building confidence across business lines, Mary Kate is crafting a future where compliance fuels progress, not fear.
To understand what drives her bold, human-first approach to cybersecurity, we sat down with Mary Kate for a conversation that was anything but conventional.
Below are the excerpts from the interview:
Your background in English, literature, and entrepreneurship is quite rare in the cybersecurity field. How has this diverse academic foundation shaped your approach to cyber risk and executive communication?
My foundation in English Literature and Entrepreneurship uniquely equips me to frame cyber risk through a narrative lens—translating technical complexity into strategic insight. Literature taught me to find clarity in ambiguity, and entrepreneurship instilled the agility to navigate uncertainty. Together, they shaped how I communicate risk: not as fear, but as opportunity. I focus on telling a compelling, actionable story that leadership can engage with and use to inform decision-making.
You’ve said, “Risk reporting isn’t about checking boxes—it’s about telling the story of where we stand.” Can you unpack that for us? How do you turn technical risk insights into something leadership truly understands and acts on?
Effective risk reporting requires more than metrics—it demands meaning. If our reports don’t translate into clarity for leadership, we’ve missed the mark. I see each risk report as a narrative snapshot of our current posture: where we’ve been, where we are, and where we’re going. We strip away jargon, use real-time data to highlight patterns, and emphasize accountability. It’s not about fear—it’s about framing risk in a way that informs strategy and builds trust.
Governance, regulation, and operational oversight—three heavyweights in the cyber risk world. How do you ensure they don’t slow down innovation while still keeping compliance airtight?
We approach compliance as an enabler—not an obstacle. By embedding governance and regulatory checkpoints into the design phase of any initiative, we ensure that security enhances innovation rather than stalling it. Risk-informed decision-making is foundational, allowing us to move at speed without compromising integrity. Compliance isn’t a hurdle—it’s how we build with confidence.
In a space rooted in documentation, audit-readiness, and risk storytelling, how are you using AI tools to make governance and compliance more proactive and predictive rather than reactive and checklist-driven?
We’re at a pivotal moment. Our AI-driven cyber platforms are helping us evolve beyond static checklists into dynamic, risk-aware ecosystems. By embedding AI into our compliance infrastructure, we’re automating real-time risk reporting, linking outcomes to key performance indicators (KPIs), and giving our teams continuous visibility—not just episodic audit prep. AI isn’t replacing governance—it’s amplifying it with smarter, faster insight.
Women in cybersecurity are still underrepresented in governance and audit-heavy roles. What would you say are the invisible barriers women face in this space—and how did you personally navigate them?
There are few women leading GRC and audit-intensive programs—but I’m proud to say Core Specialty is different. I’m surrounded by experienced, capable female leaders, and I mentor the next generation through both formal programs and informal open-door guidance. Outside of cyber, I’ve sought mentors in legal, marketing, and operations—women who taught me how to own the room. Their influence helped shape the confidence and communication style I now pass on to others. Representation matters, and I work to make space at the table.
In your view, what’s the most common mistake organizations make when reporting risk to executives or regulators—and what should they be doing instead?
The biggest mistake? Making risk feel inaccessible. Overloading reports with technical detail or alarmist language alienates the very stakeholders we need to engage. Instead, reporting should be clear, contextual, and focused on impact. It should show progress, not just problems. Executives need to understand not just what’s happening, but why it matters—and what comes next.
If you could improve just one area to reduce cyber risk significantly—would you start with people, process, or technology? And why?
People. Cybersecurity awareness needs to extend outside of IT and should be part of the business culture. As new threats evolve, anyone can truly be a target. Cyber risk education across business units is incredibly important to protect companies, assets, and staff themselves. People—without question. Technology and process are critical, but human behavior is the constant across every incident vector. Cyber awareness must extend beyond IT into every part of the organization. When staff understand how they contribute to resilience, they become our first line of defense—not our weakest link.
For women just starting out in cyber risk or compliance—especially those without a traditional tech background—what advice would you give them as they try to find their footing and voice in the industry?
Ask questions. This field is complex, and curiosity is a strength, not a weakness. Second: Recognize your transferable skills. You don’t need a computer science degree to excel in risk. Communication, pattern recognition, strategic thinking—these all translate. Own your perspective, and use it to build bridges across disciplines. Understand your strong transferable skills. I’ve found that I am very process driven and that I am an effective communicator – and I use these skills paired with my education to drive risk reporting and mitigation efforts.
Looking ahead, what kind of legacy do you want to leave behind through your work in risk, governance, and security? What impact do you hope others feel because of what you’ve built?
I want my legacy to reflect that risk and security are not barriers, they are enablers of trust, innovation and resilience. I hope the risk culture I instill empowers people to make informed, confident decisions. In a regulated and ever-evolving industry like insurance, I want to be remembered for not just implementing controls, but for building frameworks that help the business adapt securely and serve clients with integrity. I also hope to inspire women and underrepresented professionals to lead boldly in cybersecurity and governance. I want teams to feel that the structures we’ve put in place don’t just manage risk., but actively support their ability to take smart risks. I also hope that those I’ve mentored or worked with feel a deeper sense of purpose in the work they do. Risk isn’t just a function, but it is a critical partner in building something enduring and ethical.
More about Mary Kate Rush
Mary Kate Rush is a cybersecurity leader at the intersection of governance, compliance, and executive risk strategy. With a background in English and entrepreneurship from Penn State and continued education at Harvard, she leads IT Risk Services with a narrative-driven, audit-ready approach. Her work integrates top frameworks like NIST, COBIT, and HIPAA, leveraging advanced tools like BitSight, Microsoft Purview, and Introspect to deliver real-time, board-level insights and end-to-end risk visibility.
