Cybersecurity has always had a communication problem. Engineers speak in code. Executives want answers in dollars. Lawyers demand compliance. Rarely do these worlds converge—unless Olivia DeBottis is in the room.
As VP of IT Risk at Core Specialty Insurance Holdings, Olivia doesn’t just lead cybersecurity programs, she translates them. Her background in law and risk management allows her to build bridges between technical teams, regulatory frameworks, and business strategy. Whether it’s designing AI-powered vendor scoring models or steering regulatory attestations with precision, she ensures cybersecurity isn’t just understood; it’s valued.
Her secret? A mindset that sees cybersecurity not as a static checklist, but as a living ecosystem; one that thrives on cross-functional clarity, continuous learning, and cultural buy-in. Add to that a high-performing risk team that’s 90% women, and you have a leader who’s not just shaping frameworks, but shifting paradigms.
Curious about how she brings tech, law, and business into one coherent voice, we sat down with Olivia to learn how she’s redefining leadership in cybersecurity, on her own terms.
Below are the excerpts from the interview:
Olivia, you bring a unique lens to cybersecurity with your dual background in law and risk management. How does this combination influence the way you build and govern IT risk programs?
My combined background in law and risk management enables me to approach governance with both a compliance driven and operationally practical mindset. From the legal perspective, I ensure that our programs are aligned with evolving regulatory frameworks, contractual obligations, and data privacy mandates. At the same time, my risk management experience allows me to evaluate threats through a business continuity lens, focusing on real-world impact and mitigation strategies. This dual perspective helps bridge the gap between legal expectations and operational feasibility, ensuring our programs are not only robust and defensible, but also adaptable and business aligned.
Your team has developed a real-time risk scoring system across third- and even fourth-party vendors. Can you walk us through how this system works—and how it changes the way executives view cyber risk?
Our real-time risk scoring system integrated multiple data streams—including threat intelligence, vendor reported assessments, and behavioral analytics—to create a dynamic and continuously updated risk profile for each third- and fourth-party vendor. The system leverages machine learning to detect anomalies, prioritize vulnerabilities, and generate risk scores that reflect both inherent and residual risks. For executives, this visibility is invaluable. Rather than relying on static, annual assessment, they now have access to real-time dashboards that contextualize cyber risk in business terms—enabling faster, more informed decision-making around vendor engagement, contract negotiations, and incident response.
With your legal and risk background, how do you see AI transforming cyber accountability—especially in areas like third-party risk scoring, audit defense, and regulatory attestations?
AI has the potential to elevate cyber accountability by enhancing transparency, precision, and scale. In third-party risk scoring, AI can continuously monitor vendor ecosystems, flag emerging threats, and adapt scoring models based on real-time data—far beyond what manual processes allow. For audit defense, AI helps streamline evidence collection and control validation by autonomously mapping activities to control frameworks, reducing human error and accelerating readiness. In terms of regulatory attestations, AI supports proactive compliance by tracking regulatory changes, cross-referencing internal policies, and detecting discrepancies before they become liabilities. In short, AI empowers organizations to shift from reactive compliance to proactive governance.
You mentioned “Cybersecurity is a living ecosystem.” Can you elaborate on what that means in your day-to-day leadership, and how this philosophy shapes your long-term strategy?
To me, the phrase “cybersecurity is a living ecosystem” reflects the constant evolution of threats, technologies, and regulations. In daily leadership, this means staying agile—adapting processes, updating playbooks, and nurturing cross-functional collaboration. Long-term, it requires cultivating a security culture that thrives on continuous learning, iterative improvement, and partnership across the business. Our strategy isn’t fixed—its resilient, responsive, and designed to grow with the ecosystem around it.
As someone holding both CISO responsibilities and legal certifications, how do you navigate the balance between technical strategy and legal defensibility during a breach or audit scenario?
It’s a careful balance of enabling innovation while safeguarding Core Specialty’s legal posture. I work closely with technical leads to ensure controls are not just effective but also well-documented and mapped to regulatory standards. During an incident or audit, that preparation allows us to demonstrate not only that we acted appropriately, but that our decisions were rooted in both technical best practice and legal prudence. It’s about making sure strategy and defensibility are not in conflict—they’re built in tandem from the start.
What’s one common mistake you see companies make when building out their IT risk or compliance programs—and how would you steer them differently?
A frequent misstep is treating compliance as a checklist instead of a strategic enabler. When organizations focus solely on passing audits, they often miss broader risk indicators. At Core, we are building a program that goes beyond compliance—one that incorporates real-time analytics, business context, and scalability. That shift transforms compliance from a reactive burden to a proactive asset.
As a woman executive with expertise in law, risk, and cybersecurity—spaces that have traditionally skewed male—how have you built your voice and credibility in the room, especially during critical decisions or high-stakes discussions?
With degrees from both Temple University’s Fox School of Business and Beasley School of Law, I have built my career at the intersection of insurance, law, business, and technology. I’ve earned my seat at the table through deep subject matter expertise, a strong operational understanding, and a commitment to delivering results. As a CISO, I’ve built and led a high-performing IT Risk team that is 90% women—each of them exceptionally qualified, credentialed, and experienced. At Core, women aren’t fighting to be respected—we are hiring women whose education, training, and performance speak for themselves. Credibility isn’t something we ask for—it’s something we walk in with. That mindset shifts the tone of the room and redefines leadership norms in this space.
What advice would you give to young women who are interested in both law and technology—but don’t yet see how they can merge those passions into a cybersecurity career?
Cybersecurity is one of the few fields where law and technology truly intersect. My advice? Don’t choose one over the other—lean into both. Explore roles in compliance, governance, or third-party risk that require legal insight and technical literacy. Find mentors in both spheres. You don’t have to fit into a predefined role—some of the most impactful careers are built at the intersections of disciplines. Lean into what makes your perspective unique and know that the ability to translate between legal and technical teams is a real asset in this space.
Looking ahead, what’s the legacy you hope to leave through your work—whether it’s in risk innovation, legal strategy, or talent development?
I hope my legacy is that I fostered a culture where people felt empowered to grow, take smart risks, and collaborate openly. Whether through building resilient programs, mentoring rising talent, or creating inclusive spaces, I want to be remembered as someone who led with purpose and elevated those around me.
Finally, how do you define leadership in cybersecurity today—and how has that definition evolved for you personally over the years?
Leadership in cybersecurity today means being more than just technically strong—it’s about being clear, adaptable, and able to connect cyber priorities with broader business objectives. It’s knowing when to push for change, when to listen, and how to align security with strategy. Earlier in my career, I thought leadership was about having the answers. I’ve learned it’s about creating the space for the right conversations, empowering others to lead, and showing up with consistency—especially under pressure. It’s not just about being an expert; it’s about building trust and driving progress in a space that never stands still.
More about Olivia Debottis:
Olivia DeBottis is a CISO and VP of IT Risk who merges legal expertise with cutting-edge cybersecurity strategy. Leading a full-spectrum risk program—from eDiscovery to AI-driven vendor scoring—she protects enterprises by anticipating threats, not just reacting to them. Her team harnesses tools like Microsoft Purview and Proofpoint to deploy real-time risk analytics, penetration testing, and regulatory compliance across hybrid environments. With dual degrees in Law and Risk Management, she uniquely bridges boardroom priorities with technical execution, ensuring security isn’t just robust but business-aligned.
