Cybersecurity leadership today isn’t defined by a single framework or control; it’s shaped by judgment, adaptability, and the ability to act decisively in an environment that never stops evolving. CISO Diaries was created to capture that reality. Through conversations with CISOs and senior security leaders around the world, this series explores how they actually work: how they structure their days, think about risk, stay mentally sharp, and lead under constant pressure. By focusing on habits, perspectives, and decision-making (not just incidents), CISO Diaries offers a grounded look at what modern security leadership really demands.
About the Interviewee: Tarik Ustuner
Tarik Ustuner is the Chief Information Security Officer at Bybit TR, where he is responsible for safeguarding the organization’s information systems in a high-stakes, fast-moving financial environment. In his role, Tarik designs and implements robust security protocols, works closely with internal teams to identify and mitigate vulnerabilities, and strengthens compliance with industry standards, driving measurable reductions in security incidents along the way. Known for his pragmatic, action-oriented mindset, Tarik approaches cybersecurity as a living discipline: one that requires a deep understanding of the business, constant awareness of the evolving threat landscape, and the resilience to respond decisively when it matters most.
How do you usually explain what you do to someone outside of cybersecurity?
I generally rely on analogies. Sometimes I say that my job is to keep people safe—occasionally even from their own actions 🙂 Explaining modern tech roles to those outside the industry can be tricky, so I often use a medical comparison: every area of expertise in cybersecurity is specialized, much like the various departments in a hospital.
What does a “routine” workday look like for you, if such a thing exists?
If you manage your workflow effectively and meet your deadlines, you can definitely establish a sense of routine. Although this field often demands working beyond standard hours, it also provides opportunities to carve out personal time if managed well. In my daily routine, I prioritize tracking industry trends and dedicating time to understanding the inner workings of my organization. The more intimately you know the details of the business, the more effectively you can protect it.
What part of your role takes the most mental energy right now?
Without a doubt, it’s the constantly evolving threat landscape. Almost every aspect of our lives is now digital, and while this world is all-encompassing, it is still relatively new and inherently vulnerable. Furthermore, the potential for illicit financial gain has significantly sharpened the appetite of malicious actors. As a result, you are in a constant state of thinking about how to stay one step ahead.
What’s one security habit or routine you personally never skip? (Work or personal.)
I perform regular audits of my own passwords and consistently monitor my digital footprint across the internet.
What does your own personal security setup look like?
As a security professional, I believe the most “secure” answer to this question is to keep those details to myself! 😀
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I actively follow LinkedIn, X, and Reddit for real-time insights. Beyond social media, I make it a point to read a mix of technical publications and non-technical books to maintain a well-rounded perspective on leadership.
What’s a lesson you learned the hard way in your career?
In this profession, lessons often come through trial and error. However, my philosophy is not to dwell on setbacks, but to rise quickly and move forward even stronger, carrying the insights gained from those experiences. Resilience is the most valuable asset in this field.
What keeps you up at night right now, from a security perspective?
I don’t really let things “keep me up” in the traditional sense. In my view, a cybersecurity professional must always be ready to act. If a problem is serious enough to keep you awake, you stay up and solve it until it’s done. That’s my approach: action over anxiety.
How do you measure whether your security program is actually working?
Metrics for success are highly dependent on the specific company culture, organizational structure, and the environment you operate in. There is no universal “silver bullet” answer; it requires a tailored approach to risk and resilience.
What advice would you give to someone stepping into their first CISO role today?
The CISO role differs from other technical positions because it requires a deep understanding of the entire organization, not just the IT department. You need exceptional interpersonal skills. You must be able to persuade others and, essentially, “sell” your security vision and initiatives to stakeholders by aligning them with business goals.
What do you think will matter less in security five to ten years from now?
I believe manual code security will become less of a focal point. Not because it’s unimportant, but because AI-driven tools and intelligent control systems are becoming so advanced that they can catch flaws before code ever reaches production. This will likely alleviate the traditional “security bottleneck” in the development lifecycle.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
The security of autonomous systems—specifically the integrity and protection of unmanned vehicles and industrial equipment.