Security leadership is often framed around tools, alerts, and frameworks, but the human decision-making behind it is just as critical. CISO Diaries explores this human side, giving readers an inside look at how security leaders structure their days, make high-stakes decisions, and align security with business priorities. Each installment highlights routines, habits, and philosophies that shape resilient, effective security programs, offering lessons for CISOs, security managers, and anyone navigating complex risk environments.
About the Interviewee: Liav Shlezinger
Liav Shlezinger is a GRC and cybersecurity leader with over 15 years of experience in highly regulated defense and aerospace environments, specializing in translating complex U.S. regulatory frameworks, including NIST, DFARS, FAR, and CMMC, into practical, auditable, and business-aligned security programs. Currently serving as Information Security Manager at RADA (effectively the local CISO post-acquisition by DRS), Liav leads governance frameworks, risk management initiatives, and security baselines to support operational resilience and compliance. He is known for bridging the gap between regulatory intent and real-world execution, emphasizing clarity, trust, and sustainable security practices over checkbox compliance.
How do you usually explain what you do to someone outside of cybersecurity?
In one sentence? I’m the one who asks uncomfortable questions before something breaks instead of explaining it after.
My job is to translate cyber risks into business language and help the management sleep better while I sleep a little less.
It’s part strategist, part firefighter, and part therapist.
What does a “routine” workday look like for you, if such a thing exists?
Most of my day is spent deciding where not to spend time…
It’s about filtering noise from the signal.
Part of my time is spent on ongoing projects – supporting customer security requirements, shaping controls for new initiatives, or helping teams design solutions to align with business goals.
Another part is more strategic – working on cyber strategy, risk management, and making sure security priorities stay aligned with how the business is working.
What part of your role takes the most mental energy right now?
The most mentally demanding part right now is building cyber awareness and culture across the organization.
Technology is the easy part; the real work is getting people to make better security decisions in their day-to-day work and processes to integrate with security aspects.
What’s one security habit or routine you personally never skip? (Work or personal.)
Synchronizing with the staff. I’m taking advantage of the traffic jams, and before my day begins, I am making two phone calls: one to the MSSP manager and the other to my direct manager.
It’s a great way to get a status brief and then deliver it up the chain.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
First of all, the environment – on one side of my desk, I have a picture of my beautiful family to remind me why I do what I do. On the other side, I have a picture of my mother-in-law to keep me focused.
From a technical side, I keep things super simple, password manager, MFA everywhere possible, and most importantly, I track my kids’ locations so I know they’re safe and don’t skip school.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I listen to Jordan Peterson (read his books “We who wrestle with god” and “12 Rules for Life”), Sum IT Up, GRC Academy, and just for fun, The Ringer NBA Show.
What’s a lesson you learned the hard way in your career?
A hard lesson is – never assume you’re the smartest person in the room, even if you’re the most professional.
Knowledge is not a straight line; it is a wide sheet with many aspects that should be taken into account, other than expertise in your domain.
Sometimes, it is best to listen to others more experienced than yourself.
What keeps you up at night right now, from a security perspective?
Groups like Hndala and Cyber Toufan that are constantly publishing new victims connected to the Israeli defense ecosystem.
In many cases, the initial weakness is a third party.
How do you measure whether your security program is actually working?
I look for the employees’ behavior.
For example, we have a dedicated cyber mailbox, where employees can report suspicious emails or ask security-related questions.
When I first joined, it didn’t exist. A few months after we launched it, the volume of emails exploded.
At first, that looks like a problem, but in fact, it shows progress.
People became aware, cautious, and actively engaged with security.
Over time, the volume stabilized and then slowed, indicating that security thinking became part of the routine and organizational culture.
What advice would you give to someone stepping into their first CISO role today?
Patience!
In your first month, don’t fix anything, and don’t do security!
Meet with as many people as you can across the organization, listen to them, and write down everything.
Map everything! Focus on People, Process, and Technology. Build trust.
What do you think will matter less in security five to ten years from now?
In my opinion, hands-on roles will matter less, while roles focused on judgment, regulation, and risk management will matter more.
In the IR world and SIEM/SOC, AI will take over most of the repetitive parts of security operations – alert triage, correlation, enrichment, and large portions of Incident Response.
Every pattern-based task will simply be done better by AI.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will spend much more time and resources on managing and governing AI-driven security systems than on operating tools themselves.
We will lose a lot of knowledge because we won’t need it.
The focus will be less on “What happened,” and more on whether automated decisions are correct, compliant, and aligned with business and regulatory expectations.