From Strategy to Cybersecurity Leadership: Gina Yacone¡¯s Journey to CISO

In today¡¯s cybersecurity landscape, technical expertise alone is not enough. Leaders are expected to translate complex threats into business decisions, align security with organizational goals, and navigate an evolving web of regulations and risk.

That is exactly the kind of leadership the University of New Hampshire¡¯s online M.S. in Cybersecurity Policy & Risk Management (CPRM) is designed to develop.

For Gina Yacone ¡¯23G, now a chief information security officer and trusted advisor to enterprise organizations, that transformation was real and career-defining.

¡°My master¡¯s in cybersecurity shapes how I approach security as a business discipline, not just a technical function. It enables me to assess threats through the lens of enterprise risk, regulatory intent, and organizational accountability," Yacone says. "That foundation helps me translate complex security challenges into clear executive decisions and design governance models that deliver measurable, defensible business value.¡±

So how does someone grow into that level of leadership?

We asked Gina to share her journey.

What motivated you to pursue UNH's M.S. in Cybersecurity Policy & Risk Management, and how did you know it was the right fit?

I was motivated by the desire to sharpen and formalize the foundation I had already built as a security practitioner. I was fortunate to receive multiple offers from strong programs, so I approached the decision with meaningful due diligence, speaking directly with leaders at each university to assess both academic rigor and cultural fit. When I met faculty member, Maeve Dion, I immediately knew I had found the right program. Her leadership, vision, and research, particularly around metrics and measurable outcomes in cybersecurity, aligned perfectly with how I believe security should operate. I also recognized the caliber of professors teaching the courses and the depth of commentary and insight they brought to every deliverable. That level of engagement and practical feedback was critical. I wanted to lead programs that could quantify risk, demonstrate value, and withstand board and regulatory scrutiny, and the program¡¯s philosophy mapped directly to those goals.

What had the greatest impact on your professional growth and path to becoming a CISO?

Looking back, the most significant impact of the CPRM program was how it strengthened my strategic lens. It expanded my thinking beyond technical execution and into enterprise risk, governance, and accountability. The program emphasized how policy, regulation, leadership, and operational controls intersect, which reshaped how I approached security decisions. Instead of focusing solely on how to secure something, I began asking how it aligned to mission, risk tolerance, and long-term resilience. That shift was foundational in my path toward becoming a CISO.

When I entered the program, I already had hands-on experience building and operating security capabilities. CPRM helped me elevate that experience into a broader enterprise framework. I intentionally built on that foundation by seeking opportunities to influence executive strategy, lead cross-functional initiatives, and communicate risk in business terms. Over time, combining operational depth with governance and leadership discipline positioned me to serve as a strategic advisor and ultimately step into CISO-level leadership.

How did the program prepare you for the multidisciplinary decisions you make today?

The program¡¯s blend of cybersecurity, policy, law, and risk management prepared me to view security decisions through multiple lenses at once: technical feasibility, regulatory impact, governance responsibility, and business consequence. In my role today, very few decisions are purely technical. They involve contractual obligations, compliance exposure, stakeholder accountability, and strategic tradeoffs. The multidisciplinary foundation of the program trained me to evaluate those dimensions simultaneously and make decisions that are both secure and defensible. Once you understand the intersection of all three, you can communicate the ¡°why.¡±

What is one assignment or concept from the program you still apply in your work?

One example I still apply directly is my final project focused on cybersecurity metrics and measures. That work reinforced the importance of designing metrics that reflect risk reduction and business impact, not just activity. Today, whether I am advising executives or presenting to boards, I use that same discipline to ensure security performance is measurable, defensible, and aligned to organizational objectives rather than simply reporting operational data

How did the program strengthen your ability to communicate across technical and non-technical teams?

Since the coursework required us to frame issues from multiple stakeholder perspectives, I learned to communicate security in a way that resonates with executives, legal teams, and operational leaders alike. That bridge-building skill is now central to how I lead and advise organizations today.

What competencies are essential for advancing into cybersecurity leadership today?

Today, cybersecurity leaders must understand AI and its intersection with data security, identity and access management, and the broader ecosystem those systems depend on. Just as important is recognizing the distinction between traditional IT governance and AI governance. IT governance is built around deterministic, rule-based systems and predefined controls, while AI systems learn, adapt, and can produce opaque or autonomous outcomes. That unpredictability requires specialized oversight, model risk management, and stronger data governance. Leaders who want to advance into executive roles must be able to navigate that complexity and translate it into clear, risk-informed business decisions.

How did the CPRM program help you stay ahead in a rapidly evolving field?

The CPRM program did not just teach current frameworks or regulations; it trained me to think in systems and principles. Instead of reacting to each new regulation or emerging threat in isolation, I learned to evaluate how it fits into enterprise risk, accountability, and long-term resilience. That mindset of structured analysis and continuous reassessment is what allows me to stay ahead in a field that never stands still.

What advice would you give to professionals who feel they are not ¡°technical enough¡± or not ¡°policy-focused enough¡±?

I would tell them that cybersecurity risk management is not about fitting into a single lane. It is about learning how to connect technical reality with business and policy decisions. You do not need to arrive as an expert in both. A strong program helps you build fluency across domains and teaches you how to think critically about risk, governance, accountability, and the technology that supports those efforts. If you are willing to be curious, disciplined, and open to learning, you are more than qualified to pursue it.

Ready to Advance Your Career in Cybersecurity?

Build expertise in policy, governance, and risk management with UNH¡¯s online M.S. in Cybersecurity Policy & Risk Management (CPRM).

Learn more about M.S. in Cybersecurity Policy & Risk Management (CPRM)