Navigating the Cyber Storm: Randall Jackson on Fortifying Income Research Against Global Threats

In an era where cyber threats transcend borders and regulatory landscapes grow increasingly complex, Randall Jackson, Chief Information Security Officer (CISO) at Income Research + Management, offers a compelling perspective on navigating the evolving cybersecurity terrain.

With nation-state attacks, supply chain vulnerabilities, and AI-powered threats reshaping the risk environment, Jackson’s strategic vision is grounded in pragmatism and foresight. His approach balances the demands of U.S. regulations, like the SEC’s stringent disclosure rules, with global influences such as GDPR and NIS2, ensuring compliance enhances rather than hinders operational resilience.

As financial services face heightened scrutiny, Jackson emphasizes proactive measures, like hardened supply chain defenses, zero trust architectures, and AI-driven analytics, to stay ahead of sophisticated adversaries.

Jackson’s insights to The Daily Post reveal a nuanced strategy for managing third-party risks in a SaaS-driven world, where visibility is as critical as agility. By integrating geopolitical considerations, from U.S.–China tech tensions to European digital sovereignty, into vendor strategies, he underscores the need for a “surgical” approach to risk that prioritizes data residency and supply chain transparency. His focus on resilience—through rapid detection, isolation, and recovery—positions cybersecurity as a competitive edge, not just a defensive necessity. As AI transforms both attacks and defenses, Jackson advocates for adaptive tools like behavioral analytics and smart playbooks, paired with innovative processes to outmaneuver adversaries.

This interview delves into how Jackson is steering Income Research through a dynamic threat landscape, blending cutting-edge investments with disciplined risk management. From fortifying cloud security to embedding compliance into incident response, his strategies offer a roadmap for U.S. enterprises aiming to thrive in an interconnected, high-stakes digital ecosystem. 

Join us as we explore how Jackson is redefining cybersecurity for the future.

1. How are emerging global cyber threats, such as nation-state attacks and supply chain vulnerabilities, shaping your strategic priorities in the next 12–24 months?

While we operate in the U.S., that doesn’t insulate us from global cyber fallout. Nation-state actors don’t need your logo on a government watch list — just your vendor in the wrong place at the wrong time. Our priorities are shifting toward hardened supply chain defenses, including deeper due diligence and monitoring of third-party risk. We’re assuming compromise is a matter of “when,” not “if,” and building containment and recovery strategies accordingly. It’s not about being paranoid — it’s about accepting that today’s threat actors have longer arms and faster tools than ever before.

2. Given the increasing regulatory pressures in both the U.S. (like SEC cybersecurity disclosure rules) and globally (such as GDPR and NIS2), how are you balancing compliance with operational resilience?

In financial services, regulatory pressure isn’t new — but the SEC’s recent focus on real-time disclosure has certainly raised the stakes. We’ve moved beyond treating compliance as a documentation exercise; it’s now embedded in our incident response, board reporting, and risk governance. While we’re not directly under GDPR or NIS2, we keep an eye on global developments — both because best practices travel fast and because today’s edge case can be tomorrow’s mandate. The goal is to be breach-ready in a way that holds up to both scrutiny and stress.

3. What trends in cybersecurity investments — like zero trust architecture, AI-driven security tools, or cloud security — do you see gaining the most traction in the U.S. versus international markets?

Zero trust has gone from buzzword to baseline. In U.S. financial services, it’s no longer a question of if but how well. AI is the other major frontier — not in a sci-fi “sentient SOC” way, but as a force multiplier for overburdened teams. It’s helping our InfoSec team spot threats faster, cut through alert fatigue, and automate the boring-but-critical stuff. Cloud security remains top of mind too, especially as we move more sensitive workloads into environments we don’t fully control. While we track international trends, our investment mindset is shaped by U.S. regulations, threat models, and customer expectations.

4. How are you adapting your risk management approach to address the growing reliance on third-party vendors and SaaS platforms, both domestically and globally?

The shift to SaaS has been a blessing for business agility, and a nightmare for visibility. We’ve reengineered our third-party risk program to be intelligence-driven, and intolerant of dead weight. Our risk models now account for vendor access levels, data sensitivity, and even geopolitical exposure, because where your vendor hosts their data does matter, even if you never leave the country. We also build in kill switches — contractual and technical — so we’re not held hostage if a critical service suddenly becomes a liability.

5. With the rise of AI-powered cyberattacks, what new defenses or innovations do you think will become essential for U.S. enterprises to stay competitive and secure?

The bad guys are using AI to write better phishing emails and evade detection — which means our defenses have to get smarter, faster, and more adaptive. We’re leaning into AI-based behavioral analytics, anomaly detection, and smart playbooks that can respond in seconds, not hours. But we’re also investing in resilience — because no tool is perfect, and downtime is expensive. The real innovation isn’t just tech; it’s process. How fast can you detect, isolate, and recover? That’s the new competitive edge. Bonus points if your adversary wastes time attacking a honeypot instead of your real data.

6. How do you see the evolving geopolitical landscape (e.g., U.S.–China tech tensions, European digital sovereignty initiatives) impacting your organization’s cybersecurity posture and vendor strategy?

Geopolitics used to be something we watched on cable news — now it’s in procurement meetings. U.S.–China tech tensions have made us rethink hardware sourcing, firmware trust, and even who writes that code. While we’re not directly affected by European digital sovereignty rules, they’ve influenced how we evaluate cloud providers and contract terms. We’ve adopted a more surgical approach to vendor risk — one that looks beyond SOC 2 reports and into supply chain lineage, data residency, and legal jurisdiction. If a vendor can’t answer “Where’s your data, really?” — they’re off the list.