Key Takeaways
- Kelly Moan, NYC’s Chief Information Security Officer since 2022, leads the NYC Cyber Command in protecting over 100 city agencies from cyber threats and aiding recovery after attacks.
- Her confidence stems from a strong team and proactive training for worst-case scenarios, emphasizing preparedness as a core strategy.
- The NYC Cyber Academy, launched in 2022, provides critical upskilling and reskilling for city employees through a four-week incident response program, expanding beyond initial cyber liaisons to broader staff.
- Moan observes the CISO role rapidly evolving into a trusted advisor for enterprise-wide risk assessment, requiring communication of cyber risks in clear business terms to executives and stakeholders.
- Effective cybersecurity leadership demands partnership with business units and framing digital risks in financial, reputational, and operational terms, regardless of sector.
Introduction: Leadership Amidst Complexity
Kelly Moan approaches her role as New York City’s Chief Information Security Officer (CISO) with a grounded sense of confidence, despite navigating an increasingly chaotic global landscape. Since assuming the position in 2022, she oversees the NYC Cyber Command, a critical unit within the Office of Technology and Innovation tasked with safeguarding the digital infrastructure of New York City. Moan explicitly credits her team’s capability as the foundation for her own peace of mind, stating, “Thankfully, I have a great team at NYC Cyber Command, which affords me the ability to sleep.” This trust in her personnel allows her to focus on strategic priorities, particularly the relentless preparation for potential high-impact cyber incidents that could disrupt essential city services. Her mindset reflects a pragmatic optimism rooted not in the absence of threats, but in the strength of her organization’s readiness to face them.
NYC Cyber Command’s Vast Protective Mandate
The NYC Cyber Command shoulders an immense responsibility: defending the technological ecosystems of more than 100 distinct city agencies against a relentless array of hackers and digital criminals. This mandate extends beyond mere prevention to encompass comprehensive incident response and recovery efforts when breaches inevitably occur. Moan’s role necessitates constant vigilance across a highly diverse attack surface, ranging from public safety systems and emergency services to transportation networks, housing authorities, and administrative databases supporting millions of residents. Protecting this interconnected web requires not only advanced technical defenses but also seamless coordination between agencies, each with its own unique systems, data sensitivities, and operational rhythms. The command functions as the city’s central nervous system for cyber resilience, ensuring that threats are detected, analyzed, contained, and remedied with minimal disruption to vital public services that New Yorkers depend on daily.
Building Resilience Through the NYC Cyber Academy
A cornerstone of Moan’s strategy for enhancing citywide cyber posture is the NYC Cyber Academy, a pioneering initiative launched in 2022. Designed as a first-of-its-kind municipal program, it focuses on elevating the cyber incident response capabilities of city employees through intensive training. The Academy’s core offering is a rigorous four-week curriculum that delivers both “upskilling” (enhancing existing skills) and “reskilling” (teaching new competencies) to participants. In its inaugural year, the program successfully graduated 25 individuals, establishing a foundation for scalable impact. Crucially, the Academy’s scope has evolved based on real-world feedback from its cohorts. Initially concentrating on strengthening the skills of designated cyber liaisons within each agency, it has now broadened its reach to include a wider spectrum of city staff. This expansion acknowledges that effective cyber defense is not solely the realm of specialized technicians but requires awareness and preparedness across the entire workforce, transforming employees from potential vulnerabilities into active defenders of the city’s digital assets.
The Evolving Strategic Role of the CISO
Drawing from her extensive background—including prior cyber-security positions with the New York Police Department and the U.S. Department of Homeland Security—Moan possesses a unique perspective on how the CISO profession itself is transforming. She asserts with conviction that the role is no longer confined to technical oversight but is increasingly positioned as a trusted advisor for comprehensive risk assessment across the entire organization. “We’re already seeing the CISO role leveraged as a trusted adviser for risk assessments more broadly,” she explained, predicting this trend will accelerate rapidly in the coming years. This shift demands that CISOs develop deep business acumen alongside their technical expertise, enabling them to translate complex cyber threats into terms that resonate with executives, budget holders, and operational leaders. The modern CISO must speak the language of risk management, governance, and strategic planning to secure necessary resources and drive organization-wide security initiatives effectively.
Translating Cyber Risk into Business Impact
Central to Moan’s vision for the future-focused CISO is the imperative to communicate cyber risks not as abstract technical problems, but as tangible business challenges with measurable consequences. She emphasizes that “all cyber attacks carry widespread financial, reputational and other costs,” arguing that effective leadership requires partnering directly with business units to socialize risk in terms they understand and prioritize. This means framing potential losses not just in terms of data compromised or systems down, but in quantifiable impacts: projected financial losses from downtime or fines, damage to public trust and city reputation, erosion of citizen confidence in government services, and potential legal liabilities. By contextualizing cyber threats within these broader business and mission-critical frameworks, CISOs like Moan can foster genuine collaboration, justify security investments as enablers of operational continuity and public trust, and move cybersecurity from a siloed IT concern to an integral component of overall organizational resilience and strategic decision-making—whether operating within the public sector, as in NYC, or the private sphere. Her leadership embodies this evolution, turning the challenge of an ever-expanding threat landscape into an opportunity to strengthen the city’s foundational digital defenses through preparedness, education, and strategic communication.