Cyber Frontlines: Sandra Bernardo

In this edition of Cyber Frontlines, meet Sandra Bernardo, Offering Manager for the Cyber Risk, Resilience & Compliance Pillar in the Cyber Strategy and Risk Global Offering Group for IBM Consulting Cybersecurity Services. Sandra is an Associate Partner at IBM Consulting with more than 25 years of international experience in governance, investigations, compliance and cybersecurity. She advises boards and executives on resilience, regulatory transformation and Nth-party risk. She is recognized for co-developing IBM’s global frameworks, serving as Data Protection Officer (DPO) in complex transformations, and innovating with AI-powered governance and investigative technologies.

Stay up-to-date on Sandra’s work on LinkedIn.

I joined IBM in 2019 and have been working with Cyber Strategy and Risk since then, leading projects related to cyber risk management, resilience and compliance. From 2021 to 2025, I served as the leader of the Cyber Strategy and Risk Offering Group in Brazil. Since February 2025, I have been part of the Global Cyber Strategy and Risk team, serving as Offering Manager for the Cyber Risk, Resilience & Compliance Pillar.

In parallel, I also serve as an independent Board Advisor for Pague Menos, one of the largest retail pharmacy chains in Brazil, with over 1,600 stores nationwide and listed on the Brazilian stock exchange. I am a statutory and independent member of its Audit and Information Security Committee, where I contribute to governance, cybersecurity oversight and risk management at the board level.

Since 2000, I have worked in enterprise risk management, financial crime prevention and regulatory risk, holding leadership positions both as a consultant at PwC, EY, Grant Thornton and Deloitte, and as a C-level executive (CRO and COO) in the financial sector. When serving as Chief Risk Officer at a pension fund in Chile, I had my first exposure to cybersecurity in 2019, still in a preliminary way. Shortly after, I was invited by the leader of Cyber Strategy and Risk to join the team, with the mission of bringing a more holistic perspective by leveraging my background in economic and financial crime, risk management, compliance and regulatory projects.

Helping clients transform complex regulatory and risk requirements into actionable governance models that protect resilience and enable business growth. I particularly enjoy shaping board-level engagement and accountability for cyber resilience. I am also an enthusiast of emerging technologies and AI since 2016, and I see how their use is rapidly expanding—whether AI for Security or Security for AI. As an eager learner, I value continuous technical development, staying updated on key topics in my field and applying these concepts in practical ways for clients with a strong problem-solving mindset. What brings me the most satisfaction is being recognized as a technical reference across different areas of expertise, which validates the studies and dedication invested in my professional journey.

Generative AI enables scale, speed and accuracy in risk management—automating evidence review, regulatory mapping and control testing—so experts can focus on high-value decision-making and strategy. This is especially relevant in governance, risk and compliance (GRC), which has historically been labor-intensive, costly and prone to human error. By applying generative AI, organizations gain efficiency, broader coverage and reduced operational risk. Practical use cases include contract analysis, policy and procedure reviews, data correlation, control harmonization and performing gap analysis against leading practices.

I recommend combining different perspectives to gain a well-rounded view of the cybersecurity landscape. The World Economic Forum’s Global Cybersecurity Outlook reports provide strategic insights into resilience and governance. IBM’s Institute for Business Value (IBV) offers forward-looking research on cyber strategy and transformation. Gartner, ISF, NIST and the Bank for International Settlements (BIS) contribute critical frameworks and guidance on governance, risk, and resilience. The Institute of Internal Auditors (IIA) and the PCAOB bring assurance and oversight perspectives that are increasingly tied to cybersecurity. The Big 4 Firms (EY, PwC, Deloitte and KPMG) provide cross-industry regulatory and transformation insights, while insurance leaders such as AON and Allianz add risk transfer and financial resilience viewpoints. For operational and domain-specific insights, providers such as Prevalent, Proofpoint and KnowBe4, as well as institutes like the Third Party Risk Institute and IAAP, bring focused expertise on third-party, awareness and privacy governance. Together, these resources help security professionals balance strategic vision with practical execution.

The Gartner Security & Risk Management Summit stands out for connecting governance, resilience and regulatory themes directly to executive and board-level concerns. I also value the ISF World Congress for its thought leadership and global community of practitioners, and the RSA Conference for its breadth of innovation and visibility into emerging trends and technologies.

Cybersecurity should be embedded into enterprise governance and risk management, not treated as a standalone technical function. Organizations must align protection efforts with business strategy, regulatory requirements and board-level accountability. Building a culture of awareness, coupled with resilient processes and tested response capabilities, is essential to protect people, data and infrastructure while enabling trust and sustainable growth.

Start with a strong foundation in business administration—covering strategy, value chain, corporate governance, management, performance and finance—together with governance, risk and compliance, and complement it with continuous technical learning. Be eager to study, stay updated and develop a cross-disciplinary perspective to connect the dots. Be curious and adopt a problem-solving mindset. Cybersecurity is a multidisciplinary field where backgrounds in law, finance, risk and technology all add value. Stay curious, pursue certifications and engage in communities of practice to build both expertise and professional networks. Most importantly, approach the field with the resilience to adapt as threats and technologies evolve.

Key trends I am watching include the acceleration of regulatory requirements such as NIS 2, DORA and the SEC Cyber Rules; the growing importance of Nth-party risk management in global supply chains; and the integration of AI into governance, risk and compliance functions. I am also closely following how boards and executive leadership are taking on greater accountability for cyber resilience, making it a central element of corporate governance and long-term value creation.