Security leadership is often discussed in terms of breaches, frameworks, and tools, but rarely through the lens of the people making the decisions every day. CISO Diaries was created to change that. This interview series goes beyond titles and incident response plans to explore how today’s leading CISOs actually operate: how they structure their days, make high-stakes decisions with incomplete information, manage pressure, and balance protection with business momentum.
By spotlighting routines, habits, and personal philosophies, CISO Diaries offers an unfiltered look at the human side of cybersecurity leadership, where resilience, judgment, and clarity matter just as much as technology.
About the Interviewee: Einat Shimoni
Einat Shimoni is an infrastructure, cybersecurity, and AI leader with over 25 years of experience building resilient systems and security programs at scale. She currently serves as CISO and Head of IT at Lusha, where she leads global security and IT teams, develops practical cyber, privacy, and AI governance programs, and works closely with R&D and product teams to embed security by design into fast-moving innovation. Known for her business-minded, pragmatic approach, Einat translates complex risk into clear, executable decisions, helping organizations grow safely while maintaining trust, resilience, and operational velocity.
1. How do you usually explain what you do to someone outside of cybersecurity?
I usually say: “My job is to help the company grow safely.”
Security isn’t just about blocking threats, it’s about making sure people can move fast, build products, and serve customers without risking the business. I spend a lot of time making sure we prevent incidents, but also that when something happens, we’re ready and resilient.
2. What does a “routine” workday look like for you, if such a thing exists?
If I’m honest, there’s no truly routine day, but there’s a rhythm. I usually start with a quick scan of our threat landscape and internal signals: alerts, vulnerability updates, unusual activity, or anything that needs immediate attention.
Then the day is split between:
- Partnering with teams (R&D, IT, Legal, Product, GTM)
- Making decisions about risk and priorities,
- Planning future improvements,
- and aligning security with business needs.
The most “routine” part is that every day involves balancing protection with progress.
3. What part of your role takes the most mental energy right now?
Risk decisions under uncertainty.
There’s rarely a perfect answer, you often have to decide based on incomplete information, while considering technical reality, business impact, customer trust, and timing.
It’s not just “Is this secure?” but “Is this secure enough for where we are right now, and what’s the smartest next step?”
4. What’s one security habit or routine you personally never skip?
Minimal privilege mindset: fewer apps, fewer permissions, less exposure.
And beyond that: I’m disciplined about separating work and personal environments.
5. What does your own personal security setup look like?
My personal security setup is designed around the reality of working in an AI-driven startup a lot of SaaS tools, quick iteration, and constant experimentation.
So I keep it simple but very intentional:
- Password manager + passkeys where possible, with unique credentials everywhere
- MFA everywhere, ideally app-based or hardware-backed
- Device hardening: full disk encryption, auto-lock, and minimal admin privileges
- Separate environments: I strictly separate work and personal accounts, browsers, and devices when possible
- Data discipline: I’m very careful with what I paste into AI tools, I treat prompts as data
- Secure defaults: privacy-focused settings and least-privilege permissions
- Backups + recovery: cloud backups plus an offline copy for the important stuff
6. What book, podcast, or resource has influenced how you think about leadership or security?
One concept that shaped me is “security is a product.”It has users, it needs adoption, it needs good experience, otherwise people bypass it.
In leadership terms, I’m influenced by books that emphasize clarity and execution, because security is deeply about behavior and culture, not just tools.
7. What’s a lesson you learned the hard way in your career?
You can’t “security your way out” of bad incentives.
If the organization rewards speed at any cost, people will cut corners, even good people. Real security maturity comes when incentives, culture, and leadership align with the security goals.
Also: communication is everything. If you can’t explain risk clearly, you’ll lose the room even if you’re technically right.
8. What keeps you up at night right now, from a security perspective?
Two things:
- Third-party and supply chain risk — because so much of modern software depends on external components and vendors.
- Identity-based attacks — attackers don’t always “hack” anymore; they log in.
9. How do you measure whether your security program is actually working?
I look at security the way you measure a health program: prevention + readiness + recovery.
- How quickly we detect and respond (MTTD/MTTR)
- Reduction in high-risk vulnerabilities
- Phishing resilience and user behavior metrics
- Audit readiness and customer trust signals
- Incident learnings: Are we improving after each event?
- And importantly: how often security blocks business unnecessarily
10. What advice would you give to someone stepping into their first CISO role today?
Start by learning the business deeply. If you don’t understand revenue flows, customer promises, product architecture, and priorities your security strategy will be disconnected from reality.
- Build trust before you build control.
- Don’t try to fix everything at once focus on the biggest risks.
- Create a narrative: people follow clarity, not fear.
And invest in relationships. The best security programs are built through partnership, not enforcement.
11. What do you think will matter less in security five to ten years from now?
I think “perimeter thinking” will matter much less.
The idea that we can protect a company by guarding the network edge is already outdated. Everything is cloud-based, distributed, and identity-driven.
Also: security programs that focus heavily on compliance checklists without real risk reduction will become less relevant. Compliance will remain important but it won’t be enough.
12. Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
I think security teams will spend far more time on:
- AI governance and model security: preventing data leakage, poisoning, misuse, and ensuring trust in AI-driven decisions
- Continuous assurance: real-time, automated verification instead of periodic audits
- Security as engineering: building secure defaults directly into platforms and product development, with less manual control and more automation
- Business risk and resilience: not just “prevent breach,” but ensuring the company can operate through disruption (including geopolitical, supply chain, and systemic risk)
Security will become even more embedded into product and operations less reactive, more strategic.