CIO Insights: Why Cybersecurity Is Now a Business Imperative

At the Pittsburgh Technology Council’s latest CIO Insights, senior technology leaders from across the region made one point unmistakably clear: cybersecurity is no longer an IT problem. It’s a business imperative that touches every function, every employee, and every strategic decision. 

The panel featured Tom Dugas, Vice President for Technology and CIO at Duquesne University; Dan Farrah, CIO of Duquesne Light; and Todd Porterfield, CIO of PJ Dick – Trumbull – The Lindy Group. Moderated by Dan Desko, CEO & Managing Partner, Echelon Risk + Cyber, the conversation highlighted how CIOs are reshaping their organizations’ approach to risk, resilience, and innovation. 

Cyber Risk Is Growing—and Becoming Harder to See 

Dugas, who previously served as Duquesne University’s first Chief Information Security Officer, opened by underscoring the complexity of securing a higher-ed environment—essentially “10 businesses…in one institution.” From HIPAA to PCI to GDPR, universities must meet a staggering range of compliance obligations—all while tens of thousands of unmanaged student devices connect to campus networks every day. 

But the bigger challenge, Dugas emphasized, is the sophistication of modern cyberattacks. 

“It used to be easier for us to detect them… but now they’re so far advanced that even our most distinguished faculty, staff, and students are not able to distinguish what threats are coming in.” 

AI has eliminated the easy tells—bad spelling, clumsy formatting—making phishing and social engineering dramatically harder to spot. “You pop that thing in an AI generator and it looks, talks, acts just like I am,” he said. 

Critical Infrastructure Raises the Stakes 

For Duquesne Light CIO Dan Farrah, the conversation around cyber risk is existential. 

“Our top two risks across the organization are cyber related,” he shared, referencing both operational control of the grid and data loss. 

With state-sponsored actors increasingly targeting utilities, Farrah described a landscape where attackers “get into your network… sit and wait,” forcing utilities to obsess over hygiene, patching, access control, and technical debt. 

AI brings both opportunity and new exposure. Duquesne Light has embraced tools like Microsoft Copilot but keeps them tightly controlled: 

“We take a very conservative approach… we try to isolate that group as much as possible… so on the OT side we’re more protected.” 

Construction’s Expanding Threat Surface 

Todd Porterfield brought the perspective of a construction CIO overseeing more than 100 job sites, each effectively a mini-regional office. The challenge? A sprawling ecosystem of subcontractors, many much smaller and less sophisticated. 

“It’s our role almost in a way to play Big Brother… some of those things are out of our control, but we do try to help those smaller subcontractors,” he explained. 

Look-alike domains, fraudulent bank-change requests, and vendor impersonation are daily realities. Porterfield described a recent case where a subcontractor unknowingly wired funds to a fake domain. A mistake that “could take them out of business.” 

Cybersecurity as a Strategic Business Driver 

Across industries, CIOs agreed: security must move upstream into strategy, governance, and board-level decision-making. 

Dugas regularly briefs his board on risks and responsibilities, noting that “you have to be upfront about what that is and what you will get from that.” 

Farrah emphasized the importance of simulations and crisis exercises with directors: “We practice that to make sure that we’re aligned in the way that we execute it.” 

The Power of Partnerships 

One of the strongest themes was the need for community, including vendors, universities, utilities, and construction firms all learning from one another. 

“We’re interconnected in so many ways… our ability or willingness to share information is really critical,” Dugas said. 

Farrah echoed that trust and honesty are essential: “To be a partner, you’ve gotta have honesty and integrity… we’ve gotta have a good, clear relationship.” 

As cyber threats grow in sophistication, today’s CIOs are embracing a broader, more holistic mandate by aligning security with innovation; educating boards; enabling the business; and building a culture of resilience. 

CIO Insights made one thing abundantly clear: cybersecurity isn’t just about protecting systems, it’s about protecting the future of every organization. 

Thank you to our sponsors for making this event possible:

Presenting Sponsor

Supporting Sponsors