Executive View: Cybersecurity Strategy and Leadership with Appian’s Andrew Cunje

In this edition, Boyden’s Paul Dennis speaks with Appian Chief Information Security Officer, Andrew Cunje, to discuss the critical intersections of cybersecurity, business growth, AI, and emerging technologies. Drawing from his extensive experience, Andrew offers actionable insights on balancing innovation with safeguarding enterprise trust.

This discussion ties directly to Boyden’s Technology Trends Report: Decoding Tech Trends and Leadership in the Digital Age, highlighting key findings on emerging trends that are transforming industries and redefining the future of leadership and business strategy.

Discussion Highlights 

• Cybersecurity Fundamentals at Scale: The foundation of strong security lies in mastering the basics, such as Zero Trust principles, cloud security, and regulatory compliance across global markets. A well-aligned security strategy not only reduces risk but also serves as a competitive advantage.

• AI in Cybersecurity: AI enhances security by automating threat detection, reducing manual workload, and improving accuracy. By integrating AI into security operations, companies can boost efficiency and responsiveness while maintaining high standards of protection.

• Effective CISO Reporting Structure: While reporting lines vary, the success of a cybersecurity program depends more on resource allocation, mission alignment, and executive engagement than on organizational hierarchy.

• Bridging the Cyber Talent Gap: Internal mobility, cross-functional training, and high entry standards help organizations build strong cybersecurity teams despite a global talent shortage.

• Board-Level Cyber Expertise: Cybersecurity must be a boardroom priority, with technical leaders ensuring cyber resilience is embedded across all business functions. A deeper understanding of security fosters a culture of protection at every level.

Full Q&A with Appian Chief Information Security Officer, Andrew Cunje

Dennis: What is the most significant governance risk related to cybersecurity that your leadership team is focused on addressing?

Cunje: We focus on nailing the basics at scale. For example, implementing Zero Trust principles involves amplifying their application and frequency. As a sales-minded CISO, I prioritize aligning our teams closely with the company’s direction, needs, and our customers’ journeys. Our guiding principle is simple: “If you don’t know who your customer is, question what you’re working on.” This underscores our belief that without our customers’ trust, we are nothing.

With this focus, we ensure our cloud security meets global privacy and compliance standards, build efficient security systems that support business goals, and maintain regulatory excellence in key markets like the U.S., U.K., Australia, and Canada. Our three-year strategy centers on reducing risk with enterprise-grade security while using security as a competitive advantage to open new markets.

We achieve this by continuously monitoring our security posture, strengthening threat detection, and reinforcing identity and network protections. By benchmarking against industry standards and stress-testing our systems, we prioritize solutions that balance security, business impact, and customer trust.

Dennis: How is your organization leveraging AI to enhance cybersecurity, particularly in real-time threat detection and response?

Cunje: AI’s natural role is enhancing existing processes, making them faster, more reliable, and increasing throughput.  At Appian, we are a process company and AI can help us and our clients get more value from processes that already exist.   From a security perspective, we apply AI across various use cases, from customer enablement to threat detection and response. A key initiative is using Appian to monitor Appian itself via a SOAR (Security Orchestration, Automation, and Response) platform built on three principles:

1. Reduction of Toil: Minimizing repetitive, manual tasks to improve efficiency.
2. Workforce Augmentation: Enabling teams to achieve more with less through AI.
3. Access to Expertise: Providing immediate insights and specialized knowledge.

For example, creating security detections manually can take 4-6 hours per detection. With hundreds of potential detections needed to address Tactics, Techniques, and Procedures (TTPs), the time investment is significant. By augmenting human capabilities with AI, we reduced labor by 70% and achieved 80% accuracy on a sample set of 50 detections. This saves time, delivers high-quality outcomes, and demonstrates AI’s transformative potential in cybersecurity.

Dennis: In your view, what is the ideal reporting structure for a CISO, and how does it influence cybersecurity outcomes?

Cunje:  Every company is on its own cybersecurity journey and every company is in a slightly different place.   Factors such as the company size, industry, and breach history will determine the amount of investment or reporting structure.  However, in my experience, the reporting structure is less important than the resources and alignment around the mission. Critical factors include:

• Building a strong cohort around a Cyber Advisory Board.
• Ensuring the mission is adequately funded.
• Tailoring investments based on company maturity, market position, and revenue.

Whether the CISO reports to the CEO, General Counsel, CIO, or another executive, success will ultimately  hinge on these factors and the CISO's ability to align resources and strategy effectively.

Dennis: With a global shortage of 3.4 million cyber professionals, how is your organization addressing the cyber talent gap? Are you investing in upskilling or reskilling programs?

Cunje: We have a high entry bar at Appian.  All our engineers will have a cyber security background and demonstrate strong technical ability and professional tenacity as the problems they work on are not simple to solve.

We have had success importing and exporting great talent from other parts of the company.  Skilled engineers from business technology or solutions engineering have joined our group permanently or rotated through which really is a win-win as we get to work with the greatest engineering minds and also get to help our engineers become more proficient in our security processes and frameworks if and when they transition back out to other parts of the business.    

Dennis: As cybersecurity becomes a top priority at the governance level, what skills or knowledge are essential for board members to ensure informed decision-making?

Cunje: Cybersecurity expertise is essential at the board level. Having CISOs and technical leaders like CTOs or CIOs involved helps ensure that cyber resilience and risk management are woven into the fabric of the organization.

Boards can strengthen their impact by deepening their understanding of cybersecurity and fostering a culture where security is a shared responsibility across people, systems, and processes. Prioritizing cybersecurity as a core business value enables organizations to integrate it seamlessly into every layer of operations.

Executive Biography

Andrew Cunje joined Appian in May 2021, brings over 17 years experience in security and compliance, including the software-as-a-service (SaaS) and platform-as-a-service (PaaS) cloud industries. Previously, Andrew ran security for the Salesforce Public Sector and led strategic initiatives including vaccination platform security, internationally. Andrew holds a B.S. in Information Technology with a concentration in Information Security and Network Administration from George Mason University as well as completion of the Carnegie Mellon Executive CISO Program.

Strengthen your organization’s cybersecurity resilience with the right expertise. Contact Paul Dennis to learn how we can help you build a high-performing security team and navigate evolving cyber risks with confidence.