With two decades of leadership in information security and technology governance, Diallo Gentry is celebrated for building resilient, revenue-generating security programs in heavily regulated industries. Recently named an A100 Award winner by CISOs Connect, Diallo has elevated companies through strategic risk management and a relentless commitment to excellence. As Head of Security, Privacy, and Risk at XSELL Technologies, he leverages over 20 years of experience to transform organizational security postures and sustain customer trust. A Chicago CISO of the Year operating committee member, Diallo works to advance the strategic role of security leadership in business success.
Recently, in an exclusive interview with Digital First Magazine, Diallo shared his professional trajectory, significant career milestone, personal role model, future plans, words of wisdom, and much more. The following excerpts are taken from the interview.
Hi Diallo. Can you please provide a brief overview of your background and experience in the tech industry?
Early in my career, I didn’t expect to find myself in tech—I had initially envisioned an academic path, but that’s a story for another day.
My journey started in system and network support within academic and small corporate environments. I was introduced to security when I transitioned to professional services, managing large-scale infrastructure for Fortune 100 data centers. This early foundation has been invaluable, providing me with skills and experience I still rely on today.
As cybersecurity rapidly evolved, I expanded my expertise with roles in GRC, application security, and security architecture. These experiences led to security leadership roles where I focused on building robust security programs designed to protect information assets and sustain stakeholder trust.
I also gained perspective as a security vendor, a rewarding opportunity to help client organizations solve previously intractable challenges and achieve their data security and privacy goals. Having built data security and privacy programs from the ground up, my focus now is on optimizing these programs through performance improvements and automation.
What are the most rewarding parts of your current role, and why?
Two key aspects of my role at XSELL Technologies make it especially rewarding. First, working with a growth-phase company is a unique experience. The business has reached a level of stability, has nailed down its product-market fit, and has made impressive strides toward product maturity. Yet, the pace remains exhilarating and can instantly shift to breakneck speed. Small decisions can profoundly impact the business, and scaling effectively presents real, complex challenges. If you’re part of a growth-phase company and don’t feel you’re making a mark, it’s likely because you’re not looking hard enough.
The second aspect I find rewarding is the daily immersion in AI. Joining XSELL in 2021, I was drawn by the opportunity to explore how or if familiar security processes would need to adapt to the needs of ML Ops, e.g. container security, test data hygiene, and model integrity. Little did we know the waves generative AI would make when ChatGPT launched in 2022. It set new market expectations and prompted one of those breakneck responses. Now, two years later, we’re working from a new baseline, driving innovation in step with the AI landscape.
What are the most significant data security challenges businesses are currently facing, and how can we address them?
I can go so many different directions with this question, but I think I’ll choose what might be a little unexpected.
There are some outstanding data security leaders who work hard every day safeguarding their organizations and the interests of their stakeholders. I know these folks. They’re doing hard work and they’re making a difference.
One of the common features across these leaders is they do a great job of communicating information risks—security and/or privacy—to their management, their boards, or any other interested parties. That skill is critical to their success and critical to the programs they lead.
The reason these leaders are successful is because they tie those risks to measurable business objectives, e.g. retaining customers, capturing new revenue, increasing process efficiency or accuracy or something else that is quantifiable. It is my observation that the leaders who can do this prosper as do their teams as do their organizations.
There is another group of professionals that succeed in losing their stakeholders among the trees in the forest when they talk about technical or procedural deficiencies. They may show charts and trend lines, but does their show ‘n’ tell point to anything that stakeholders are truly interested in—regrettably, no.
And my point is not to unduly criticize these folks, but to simply say, that this is an area that we, as practitioners, should strive to improve by teaching, mentoring, sharing and always challenging ourselves to make incremental improvements every day.
How can leaders ensure data security and privacy in the face of increasing threats and regulations, especially in today’s AI era?
Tomes could be written answering this question but let me see what I can do to address it briefly.
First, let’s focus on the language we use as we discuss the task of data security and privacy leaders. I’m suspicious of the word ‘ensure.’ Are you really asking leaders for a guarantee that no harm–destruction, disruption, unauthorized exposure, market loss, fraud–will come to information assets and/or stakeholders? While protecting confidentiality, integrity, availability, and privacy is the goal, our efforts will never be perfect. Data security and privacy leaders are risk managers. Our job is to identify, assess, prioritize, develop, and implement reasonable controls to reduce the likelihood and impact of harm to assets and stakeholders.
Let me address threats and regulations separately, taking regulations first. I will focus my context on the US legal framework and, therefore, replace regulation with *legal requirements* to encompass statutory, regulatory, and common law concerning data security and privacy.
In short, security and privacy leaders have a mess on our hands. As of this writing, there’s no national, unifying, multi-industry minimum legal requirement for safeguarding stored, processed, or transmitted information in the United States. There are 16 states with comprehensive data privacy laws. The Health Insurance Portability and Accountability Act (HIPAA) only applies to protected health information/electronic protected health information (PHI/ePHI). The Gramm–Leach–Bliley Act (GLBA) applies to financial services and non-public information (NPI). While every state and territory has a data breach notification requirement, the most recent thorn in the side of security and privacy leaders is the SEC’s rule governing incident disclosure for public companies.
Adding one more straw, many organizations of all sizes do business internationally, so we can’t leave out GDPR (EU), Privacy Act of 1988 (Australia), Chinese Cybersecurity Law (China), etc.
My point in showcasing all of this is to emphasize that leaders cannot and should not shoulder the burden of legal compliance alone. They must have other competent partners within the business, and responsible teams should leverage effective tools and systems whenever possible to manage the myriad processes, documentation, and controls required to demonstrate and maintain compliance.
As far as the actual threats are concerned, they may not be actually increasing, but year over year they become more nuanced, or evolve more quickly from one generation to the next. I’ll say more about that in a minute.
Many threats are very familiar to us and have persisted for multiple years. Using the 2024 Verizon Data Breach Investigation Report as a source, we see that:
– Credential theft
– Phishing
– Web application exploit
– Denial of service
– Malware/Ransomware’
continue to be the common vectors leading to security incidents across all organizations.
As far as AI’s contribution to this mess, it is contributing to the shorter cycles between successive generations of malware, and increasing their sophistication, e.g. phishing emails that contain entire threads to social engineer targets into thinking they are participating in an authentic message thread. In other scenarios, AI can help malware to avoid some detection methods and propagate more efficiently.
Legal requirements such as the EU’s Artificial Intelligence Act (AI Act) will establish minimum trust requirements for AI systems developed and deployed by legitimate entities in the EU. This, however, won’t have any effect on those capitalizing upon the misuse and corruption of AI technologies.
What has been your most career-defining moment that you are proud of?
I’ve been fortunate to participate in many significant projects throughout my career, each serving as a building block for professional growth. However, one experience stands out: while serving as Security Engineering Manager, I was the regional leader for a firewall centralization project that consolidated over 100 globally dispersed firewalls into a single operations center. This 15-month initiative, including both planning and execution phases, has been a reliable template for large change management efforts.
This project embodied every challenge inherent in large-scale transformations:
– Complex technical planning and coordination across multiple time zones
– Minimizing service disruption for global customers
– Building consensus among diverse stakeholders
– Overcoming resistance to change
– Developing comprehensive risk mitigation strategies
One challenge I encountered involved working with a technology center serving energy sector clients. Their team initially resisted the centralization, citing concerns about responsiveness to their specialized customer needs. Rather than forcing compliance, I engaged directly with their leadership, listened to their concerns, and secured authorization to incorporate their feedback into the operating model. This collaborative approach not only won their support but improved the overall design of our centralized operations.
Despite the inevitable hurdles and learning moments, the project succeeded through persistent stakeholder engagement and meticulous planning. What made this experience career-defining wasn’t just the technical achievement but the lasting lessons about leading complex organizational change. The satisfaction of seeing diverse teams unite behind a common goal remains a significant milestone on my professional journey.
If you could have a one-hour meeting with someone famous who is alive, who would it be and why?
There are too many possible people to pick from, but for now, I think I will go with an author on my shelf, Nassim Nicholas Taleb. I enjoyed his book ‘The Black Swan: The Impact of the Highly Improbable’, and I have Antifragile on my list. While I’m sure there needs to be more than a one-hour session, any conversation with Taleb would provide sharp insight to increase my appreciation for the nuance of risk and complexity.
But if I could bend the question’s constraints a bit, I’d love to sit in on a discussion between Taleb and Douglas W. Hubbard, author of How to Measure Anything. I’m sure that conversation would yield a masterclass in risk analysis.
Is there a particular person you are grateful for who helped get you to where you are?
I’ve had excellent guides and coaches throughout my career, but the singular person who enabled me to succeed as I have is my father.
It boils down to establishing and reinforcing the attributes that contribute to success—no guarantee of success, but critical attitudes and behaviors make it more likely, and my dad was the person who taught me these. Everything else was built on top of this.
For me, that core is:
– Be deliberate; create plans and commit to them
– Allow your plans to adapt when necessary or appropriate
– Anything worth doing, is worth doing well, and
– Persevere, things that start out difficult, get easier with repetition.
Certainly, there’s more, but these four have always been essential to me. And apparently, they work. Thanks, dad.
How do you keep your mind healthy and stay resilient? And how do you motivate your team?
Staying healthy and resilient is about some simple truths. Eat well and exercise. Get a sufficient amount of rest. Do other things you enjoy, even little things; it doesn’t have to be extravagant. Give yourself grace. If something doesn’t go right today, you can try again tomorrow. Don’t take yourself too seriously. Respect and appreciate people: You never know when you may be the person who helps them make it through the day, and you never know when they might be the ones who return the favor to you.
Most team dynamics, including motivation, can be traced back to hiring decisions. Not to suggest that there is some perfect candidate for a role out there in the wild, but a person must bring professionalism, persistence, integrity, humility, and collaboration to the role. As one of my mentors offered to me when I was first promoted to management, “Search for attitude. Train for aptitude.”
That said, I am incredibly fortunate to have a team that exhibits those qualities and more daily. With that strong foundation in place, my key task becomes consistent and transparent communication. If I do a good job of keeping my team in touch with the value and benefits, we deliver to our stakeholders—our colleagues, board, investors, and customers—they take care of the rest. And sometimes, we’re the beneficiaries of our own efforts.
Where do you see yourself in the next 5 years?
In thinking about my career path, I no longer try to fit myself into specific roles or settings within a rigid timeframe. Early in my career, those types of goals led me to make one or two hasty choices. While there was no lasting harm—just a smidge of regret perhaps—I’ve come to value learning from each step, even the imperfect ones.
Now, I set broader objectives for the experiences I want. In five years, I see myself doing similar work to today on a larger stage with more reach and influence. This will likely include implementing more automation to optimize security and privacy processes. So many tasks across organizations of all sizes are still done manually, as they were 10 or 15 years ago, and that needs to change. I also want to help foster the next generation of security and privacy leaders, sharing lessons from my journey so they can build on them and advance even further.
What message or advice would you give to aspiring professionals who are interested in pursuing a career in tech?
When I was a senior in high school, an assistant basketball coach from Ohio State University—I’m afraid his name escapes me—spoke at a school assembly and shared something that’s stuck with me ever since: “Make your work play; take your play seriously.”
There’s nothing better than enjoying what you do professionally. There are times when I’ve felt that I’m getting paid to do a hobby—and, believe me, there are also days when it definitely doesn’t feel that way. But that enjoyment in the work gives you the resilience to get through those tougher days.
Technology is a field that never stops evolving. If you’re curious about how things work and aren’t afraid of making mistakes, tech can be incredibly rewarding. You’ll get the chance to solve meaningful problems, work with innovative professionals, and benefit financially—all while doing something that truly matters to you and others. But none of these matters if you don’t enjoy the work or the continual learning needed to keep up with the field.
And as important as technical skills are, don’t overlook the power of strong interpersonal skills. Whether you’re working within a team, with clients, or across departments, collaboration is at the heart of success in tech. Remember, you might work for a company, but your ability to work with people to achieve shared goals is often what makes the difference.