Security leadership is often framed around preventing breaches or enforcing policies, but rarely do we get insight into how CISOs operate in the real world. CISO Diaries aims to fill that gap by spotlighting leading CISOs across industries, exploring their daily routines, decision-making habits, and philosophies. This series provides a rare look into how these leaders balance risk, business enablement, and resilience while guiding global teams and complex organizations. Through these conversations, readers gain a practical, human perspective on what it takes to lead security in fast-moving, high-stakes environments.
About the Interviewee: Dr. Tim Sattler
Dr. Tim Sattler is the CISO of Jungheinrich AG, bringing over 25 years of experience in information security, cybersecurity, and IT governance, risk, and compliance across sectors including logistics, manufacturing, finance, and media. At Jungheinrich, he leads the company’s security strategy and transformation initiatives, focusing on enabling innovation and growth while building operational resilience. Beyond his corporate role, Tim serves on ISACA’s Board of Directors and has previously led ISACA Germany, helping shape the global security profession and advance knowledge-sharing and best practices. Known for his collaborative, business-focused approach, he transforms complex risks into actionable programs and empowers teams to make informed, high-impact decisions.
How do you usually explain what you do to someone outside of cybersecurity?
I help the business make informed risk decisions. My job is about making sure the company can operate, innovate, and grow without being derailed by cyber incidents. Security is not about saying “no”; it’s about enabling the business securely. I often compare my role to the brakes on a racing car. People tend to think brakes are there to slow you down. In reality, they allow the driver to go faster.
What does a “routine” workday look like for you, if such a thing exists?
There is no real routine, but there are recurring patterns. Most days are a mix of strategic topics, risk decisions, stakeholder conversations, empowering my team, and the occasional unexpected event.
What part of your role takes the most mental energy right now?
Supply chain security. Incidents in this area can affect both the physical supply of components for production and the software we rely on, for example when an IT service provider is compromised. In an industrial environment, this massively increases the attack surface. We are deeply interconnected with partners and customers. Ensuring that an incident at a small supplier doesn’t paralyze our production or our customers’ fleets is highly complex.
What’s one security habit or routine you personally never skip? (Work or personal.)
Out-of-band verification. No matter how urgent or plausible a request appears: if something feels unusual, I verify it through a second, independent channel – both at work and in my private life.
What does your own personal security setup look like? (High level.)
Nothing exotic, but very consistent:
- Unique credentials everywhere
- A password manager
- MFA wherever it’s available
- Regular backups following the 3-2-1 rule (three copies, two different media, one offline).
What book, podcast, or resource has influenced how you think about leadership or security?
- Ross Anderson – Security Engineering: A foundational book that shows why security is ultimately about incentives, systems and trade-offs.
- Douglas W. Hubbard & Richard Seiersen – How to Measure Anything in Cybersecurity Risk: This book fundamentally changed how I think about risk discussions with management.
- Daniel Kahnemann – Thinking, Fast and Slow: A constant reminder that most security decisions are made under cognitive bias and time pressure.
- L. David Marquet – Turn the Ship Around: Highly influential in shaping my leadership style, especially the idea of pushing decision-making to where the information actually resides.
What’s a lesson you learned the hard way in your career?
Never separate security from usability. If a security measure is too cumbersome, it will fail eventually. If you wouldn’t use it every day yourself, it needs redesign.
What keeps you up at night right now, from a security perspective?
Speed. Attackers scale and adapt faster than many organizations can decide. The key question is whether our detection, response, and improvement mechanisms are fast enough.
How do you measure whether your security program is actually working?
I focus on three dimensions:
- Recovery metrics: How quickly are we able to return to normal operations after an incident?
- Security culture indicators: Do employees actively report suspicious behavior instead of ignoring it?
- Business enablement: How often is security involved early in a business initiative, rather than being called in at the end as the “gatekeeper”?
What advice would you give to someone stepping into their first CISO role today?
- Understand the business. Go to the shop floor. Talk to the product teams. Learn how the company actually makes money.
- Translate abstract cyber risks into concrete business impact. Boards decide on trade-offs. Making those trade-offs clear, honest, and timely is essential.
- Influence matters more than expertise if you want real change. Being right is useless if no one listens.
What do you think will matter less in security five to ten years from now?
The classic password. We are moving rapidly toward passwordless authentication and identity verification based on behavior and context. In parallel, the idea of a clearly defined “secure perimeter” will continue to fade, replaced by Zero Trust approaches.
Looking ahead 10 years, what will security teams spend most of their time on that they don’t today?
The integrity and governance of AI agents. We won’t just be securing human users anymore. Security teams will oversee hundreds of autonomous AI systems making decisions on behalf of the company. Ensuring these systems haven’t been manipulated and don’t act on flawed or hallucinated assumptions will become a core responsibility.