Florence Mottay, VP and Group Chief Information Security Officer (CISO) of Zalando, the multinational online fashion retailer, didn’t follow a conventional route into cybersecurity business leadership, or the information security industry as a whole: “I would say I fell into it!”

In the late 90s, Mottay was an Applied Mathematics student in her native France when the the opportunity to join an exchange program at the Florida Institute of Technology arose.

A professor at FIT had said they had software engineering grants that could cover the remainder of her degree and Master's – if she swapped to software engineering. "So I said okay! I became a software engineer," she recalled.

After graduation, the same professor offered her a job at their new startup running vulnerability testing and exploit development – on contract with the US government.

“I joined as employee number seven. But I understood about half of what the guys were talking about! So for six months I worked every evening to try and understand how to write exploits – and I became quite good at it!”

Mottay went on to work in various cybersecurity roles in the US and eventually, back in Europe. She spent two years as a MD at IOActive, a cybersecurity company known for uncovering vulnerabilities in computer hardware, robots and Internet of Things devices.

Then, in 2016, Mottay moved into a CISO position for a major Dutch grocery retailer, working out of Amsterdam.

“I decided I needed a grown-up job,” she jokes.

Mottay’s position at Zalando marks her second CISO role and she’s been in the job since September 2022, splitting her time between Amsterdam, Zalando’s Berlin HQ and the company’s EU 'tech hubs.'

She’s responsible for managing Zalando’s almost 100-strong information security team, with functionalities split between identity and access management (IAM), threat intelligence and incident response, application security, privacy engineering, plus security governance, risk and compliance (GRC) and more.

But one thing stands out above all else.

“What’s most important is the security of our customer data, that’s non-negotiable,” said Mottay, referring to the company’s over 50 million online customers a year from across Europe, including the UK.

The department of ‘how?’ not the department of ‘no’

Customer security needs to be balanced with the company being able to provide efficient customer service and outcomes.

“As an information security function, we’re not here to stop the business, we’re here to enable it and we have to do that in the right way,” she explains.

“That means constantly finding the balance between risk and usability. If we need to enable the business to do something, the answer should never be ‘No’ it should be ‘How?’”

Mottay uses the same approach to aid Zalando's deployment of GenAI – a subject she was at the SANS Cyber Security Leaders Summit in London to discuss, and where we met for our conversation.

“Because we’re a tech business at heart and a bold business, our tech teams started experimenting with how they could leverage GenAI for our customers to make their experience better,” she said.

AI use cases include helping customers find clothing relevant to their fashion preferences, or deciding which size to order by analysing photos customers voluntarily upload.

Aware of security and privacy issues associated with rushed rollouts of GenAI, Zalando’s AI developers asked Mottay and her information security team to help build AI models.

“We were looking at things that were not security matters before: will the model output outcomes that are ethical? Will the model output something that’s incorrect that could give the wrong information to customers?” she explained.

Part of the security testing involved using 80,000 different AI prompts to help ensure the model could identify, prevent and flag attempts at malicious activity, Mottay told The Stack

Because Zalando has customers across Europe, the AI has been trained to respond to queries in multiple different languages.

The model has even been trained to identify languages like 1337 speak, to ensure guardrails are in place to prevent malicious activity.

“We cast the net as wide as possible,” Mottay said. “And maybe examining outputs that would list wrong shipping details is out of our [infosec] scope, but the fact is we were all learning together and we’re all looking at what red teaming should look like for those components.”

AI in cybersecurity: helpful, not a substitute for humans

Zalando is also using AI to aid cyber defence; Mottay described how AI security solutions are already being deployed to help triage incident reports and identify potentially malicious behaviour.

“It’s good to use these capabilities for tasks that are repetitive or take time that can be accelerated with AI,” Mottay explains.

She also stressed how important it is to remember AI isn’t anywhere near replacing information security staff and that personnel need to continue to get hands-on experience to develop their skills.

“As much as we hear everywhere that AI can now run investigations and crunch all the data, for me it’s really important to keep the human in control,” she said.

“It’s for the obvious reasons of making sure that the right steps are taken and to have oversight, but also because we need the teams to keep on practising their skills. Because if everyone is just watching it happen, people will lose their skills and their jobs will be much less interesting.”

Defending against AI-powered cyberattacks 

As with any tool, the rise of Large Language Models (LLMs) and other AI models has been exploited by criminals and other nefarious groups – a threat Mottay is very aware of.

Comparing it to her days as an exploit researcher, she believes the tools available to cyber criminals in 2025 – even those who aren’t tech savvy – mean it’s easier to be an attacker than it used to be.

“When I started, it was a handful of people and it was quite hard: we really had to dig into a piece of software, we really had to work hard to create an exploit. But since then we have a lot of tooling available that folks with less technical skills can leverage – that’s been increasing and something we need to be aware of,” she warned.

Software vendors ensuring that due process and secure-by-design are applied during the development of their products is key, Mottay argued.

“Because it may not be a cybersecurity problem, it may be a software problem that we need to tackle,” she explained.

Nonetheless, if there are security vulnerabilities in software, it's the CISO’s job to apply the correct patches and updates, as well as ensure the business has the tools and people in place to swiftly detect anomalous, potentially malicious activity – especially in that early period where a vulnerability has been disclosed, but the software vendor may yet to have released a patch.

“For me it’s really about continuing to push on remediating vulnerabilities in good time, continuing to adjust our threat intel, indicators of compromise and acting fast,” Mottay told The Stack.

“I think fast is probably the key word. And it’s about visibility as well: It’s about having good visibility of your environment so that you can act fast when something like that happens.”

A company’s CISO is there to help ensure that things don’t go wrong. But cyberattacks are constantly evolving. One person, or even a whole team, can't stay on top of absolutely everything being thrown at them.

“There’s not an end, there’s a constant threat,” Mottay warned – but she also has advice for CISOs tasked with facing these threats.

“We need to be prepared enough to be able to prevent what we can, detect what we can’t prevent and react fast enough. I think that once you have that in place and you know you’re continuously improving, it’s okay – because you can’t control what you don’t know,” she said.

In the event of an attack, the CISO needs to provide strong, stable leadership to remediate the incident and get the best possible outcome.

“When there’s a crisis, the CISO has to be captain of the ship and put the right people around the table and make sure the right conversations are being had,” she said.

The link has been copied!