Finding the Needle Within the Needles
Signal to Noise Interview with Nick Bruno, CISO and SVP of IT at SHL
Welcome back to Signal to Noise, where we distill meaningful conversations with security leaders into practical takeaways. This week, I sat down with Nick Bruno, CISO and SVP of IT at SHL.
Nick has nearly 24 years in security, though he took an unconventional path to get there. He started on the help desk, hoping to become a Windows System Admin, but was told the field was already saturated. Instead, he took on whatever roles others didn't want - vulnerability management, IDS administration, you name it. His philosophy was straightforward: never say no and learn as you go.
After 9/11, his military-minded boss (knowing Nick's Army background) moved him into security and sent him to his first security conference. Nick wasn't immediately sold on the idea - he made it clear he wasn't interested in physical security and "could care less at this point." Little did he know how many opportunities this pivot would create for his career.
Today he oversees global security, IT, business systems, and cloud/dev operations at SHL. Sometimes the best CISOs are the ones who started at the bottom.
On Signal to Noise: The Needle Within the Needles
I asked Nick how he defines signal to noise, and his answer cuts to the heart of every security team's daily struggle:
"How do you find the needle within the needles in the haystack that actually is the actionable area to spend resources on?"
Signal is actionable, meaningful. Something you can actually spend time and resources on. Noise is everything else. The daily churn of vulnerabilities and alerts that eat up your team's bandwidth.
"A vulnerability on a publicly-facing host that can be exploited and access to data with the right level of permissions probably is going to give you a bad day. A critical vulnerability on a resource that's in a development environment that doesn't even know what the internet is. Probably not something you want to spend time on."
The math is simple: "I only have so much time in the day. My team only has so much time in a day. Where do I want them to spend the time that's actually going to add value to the business and reduce risk?"
On Actionability: Solutions, Not Just Problems
We went off the rails a bit here because actionability really resonated with me. False positives are technically signals too, until you realize they're not. The real question is: what makes something actionable?
Nick's standard is clear:
"The actionable item that I ask my team or what makes it actionable is there's a solution to mitigate the risk with steps. To ensure that one, when you actually do that, you've done it to address the risk to an acceptable level with the package that allows you to e out the risk or the package that allows you to, one, prove that you've remediated the risk and it's pretty straightforward and there's nothing else left to kind of figure out."
No ambiguity. No rework. Just a package that can be deployed, tested, and verified.
"A lot of times, things come up, hey, you have a critical risk, great, what can I do about it? That's the part that you have to kind of answer the question and come up with a package."
It's like dealing with constant complainers, he says. Don't just tell me what's wrong. Tell me how we're going to fix it so we never have to talk about it again.
On AI Marketing: Navigating the Noise
Nick takes a measured approach to AI marketing claims.
"AI has been around for more than a decade, and there are multiple layers and types of AI technology. It reminds me of Dante's Inferno with its different levels of complexity."
He notes that machine learning has been labeled as "AI" for years, and the current marketing cycle has amplified the messaging significantly.
"When I encounter the uncertainty and conflicting information in the market, and I look at what's being promised from solution and service providers, I tend to set that aside because the terminology often lacks concrete meaning."
Instead, he focuses on practical outcomes. What will the solution actually accomplish? Some of his current tools include AI features that allow users to ask questions and receive quick responses - "similar to how I used ChatGPT to prepare for our conversation."
He sees the real value in training systems for routine decision-making: "For tasks that are fairly standard, where there's a clear action to take and specific recommendations with established criteria, automated systems can effectively make those decisions."
However, this requires careful implementation and building confidence over time. As he puts it, "You wouldn't enable auto-blocking features in security tools like CrowdStrike right from day one."
"When I hear overly ambitious claims, I step back and focus on fundamentals. The real value comes when solutions genuinely improve decision-making and enable better actions, but only after you've built confidence in the system."
On Time and Investment: The "Yes, And" Approach
How does Nick prioritize his time? It's a simple question that reveals his whole leadership philosophy:
"What's actually going to add business value and help the business move faster while managing risk appropriately?"
He's moved beyond being the person who automatically says "no, you can't do that." His approach now? "It's more about 'yes, but' or 'yes, and' - let's make sure we understand what the risk is with what we're doing, and whether it fits within our risk appetite."
When an executive team decides to enter a new market, Nick knows pushback isn't the answer. "There's nothing I can say that's going to change their mind." Instead, he focuses on helping them understand the risks and putting the right safeguards in place.
"I spend my time helping the business move faster and manage risk effectively. My security investments and everything else I do is basically designed to support those goals."
On What Keeps Him Up at Night: The Unknown Unknowns
"where additional risk could be seen if not discussed.”
Nick maintains regular communication with his executives and key stakeholders, but he knows there's always more happening beneath the surface.
"If I ask my CEO right now, he'll give me his top three concerns. But it's items four, five, and six that he doesn't share - those probably bother him more. He just hasn't thought through them yet, so they haven't made it to his top three list."
Then there's the challenge of technical debt. Legacy solutions are still bringing in revenue but are nearly impossible to upgrade smoothly. Open source components create endless webs of dependencies.
"What should be a simple five-minute software library upgrade actually becomes five months of testing and figuring out all the dependencies. That critical patch you're supposed to complete in two weeks? It ends up taking five months."
It's that gap between identifying a risk and actually fixing it that concerns him most. Compensating controls and monitoring help bridge the gap, but there's always that window of exposure.
On Vendor Relationships: Getting to the Point
Nick's advice to security vendors who want to add real value?
"Skip the marketing fluff. Don't tell me how your solution's going to save me time, save the world, and help me sleep better at night."
He starts every vendor conversation the same way, focusing on core problem statements: What specific expertise are you bringing? What won't you try to do as you grow? What can I actually expect as outcomes?
"I like to keep it straightforward."
The "what won't you do" question is especially helpful. It gives him clarity on where vendors are focusing their efforts, what he can realistically expect from their services, and how they'll work alongside his other tools.
Rather than polished marketing presentations, he prefers honest, direct conversations. "It's better to meet in person and have a genuine discussion." That's where you discover what people are really focused on and whether it's worth exploring further.
Finding Signal
Nick's built his career by taking on whatever needed doing and figuring it out. Twenty-four years later, that same pragmatic approach defines how he thinks about everything from AI hype to vendor pitches to executive priorities.
Strip away the marketing. Focus on outcomes. Enable the business. Fix problems completely or don't bother starting.
In a world full of noise, that clarity is the signal.
Stay secure and stay curious my friends,
Damien
About Nick Bruno: CISO and SVP of IT at SHL with nearly 24 years of security experience across multiple organizations. Started from help desk and worked through every layer of the technology stack. Connect with him on LinkedIn to continue the conversation.