Cybersecurity leadership today sits at the intersection of technology, business strategy, and organizational transformation. Nowhere is that more evident than in environments shaped by rapid growth, mergers, and evolving digital risk.
In this edition of CISO Diaries, we speak with Rodrigo Franco de Godoi, Chief Information Security Officer at Elo, about what it takes to lead security programs across diverse industries and large-scale operations. With more than two decades of experience spanning financial services, retail, logistics, industrial, and technology sectors, Rodrigo shares how strategic planning, governance, and execution come together in real-world security leadership.
Rodrigo reflects on aligning cybersecurity and fraud prevention with corporate strategy, restructuring security organizations post-merger, and applying frameworks like NIST, ISO 27002, COBIT, and DevSecOps to drive measurable business outcomes. His perspective highlights the importance of disciplined governance, pragmatic execution, and strong leadership in building security programs that scale with the business rather than slow it down.
For CISOs, security leaders, and executives navigating complex digital transformations, this conversation offers grounded insights into how security becomes a driver of resilience, efficiency, and long-term value.
1. How do you usually explain what you do to someone outside of cybersecurity?
I usually say that my job is to help the business move fast without breaking trust.
In practical terms, I work to ensure that technology enables growth, innovation, and efficiency while managing risks that could harm customers, revenue, or the company’s reputation. Cybersecurity is not about blocking things; it’s about making informed decisions so the business can move forward safely.
2. What does a “routine” workday look like for you, if such a thing exists?
There is no real routine, and that’s part of the job.
A typical day usually involves a mix of strategic discussions with executives, risk prioritization, vendor and architecture decisions, incident or threat briefings, and mentoring leaders within the security and technology teams. The constant context-switching between technical depth and business language is what defines most of my days.
3. What part of your role takes the most mental energy right now?
Aligning speed, security, and accountability.
Businesses want to move faster than ever, especially with cloud, digital products, and AI. The challenge is enabling that speed while ensuring risks are understood, owned, and mitigated, without turning security into friction or bureaucracy.
4. What’s one security habit or routine you personally never skip? (Work or personal.)
Risk review.
Whether it’s a formal risk committee, a quick conversation, or a mental checklist, I never skip asking: “What could go wrong, what would be the impact, and are we comfortable with that risk?”
This habit applies equally to work decisions and personal digital behavior.
5. What does your own personal security setup look like? (High level.)
I keep it simple and consistent:
- Password manager with unique passwords
- MFA everywhere it’s available
- Device encryption and automatic updates
- Cloud backups for critical data
- Minimal exposure: fewer apps, fewer permissions, fewer devices
Good security is about discipline, not complexity.
6. What book, podcast, or resource has influenced how you think about leadership or security?
Many non-technical leadership resources have influenced me more than security books.
What shaped my thinking the most is the idea that leadership is about clarity and trust, not control. Security works best when people understand why something matters, not just what the rule is.
7. What’s a lesson you learned the hard way in your career?
You can’t “own” all security decisions alone.
Early in my career, I tried to personally guarantee security outcomes. Over time, I learned that sustainable security comes from shared ownership, clear accountability, and well-defined decision frameworks. The CISO enables, the business decides.
8. What keeps you up at night right now, from a security perspective?
The growing gap between technology adoption speed and organizational maturity.
AI, automation, and third-party ecosystems are evolving faster than governance, culture, and skills. The technical risks are manageable; the human and organizational risks are harder.
9. How do you measure whether your security program is actually working?
Not by the number of tools.
I look at:
- Reduction of material risks
- Faster and more confident decision-making
- Incident impact and recovery time
- Business trust in the security function
If the organization can move faster because of security, not despite it, the program is working.
10. What advice would you give to someone stepping into their first CISO role today?
Learn the business before changing the security.
Listen more than you talk in the first months. Build relationships with executives. Translate security into business outcomes. And remember: your credibility will come from judgment and consistency, not from technical perfection.
11. What do you think will matter less in security five to ten years from now?
Tool-centric discussions.
Security maturity will matter far more than which vendor is used. Organizations will care less about individual technologies and more about how well risks are governed, automated, and integrated into business decisions.
12. Looking ahead 10 years, what will security teams spend most of their time on that they don’t today?
Managing machine-driven risk.
Security teams will increasingly oversee AI behavior, automated decision systems, identity-to-identity interactions, and ecosystem-level trust. The role will be less about reacting to alerts and more about designing guardrails for autonomous systems.