Behind every mature security program is a leader who lives in a constant state of anticipation. In CISO Diaries, we step inside the daily realities of cybersecurity leaders across the globe, exploring not just their strategies but their habits, pressures, decision-making frameworks, and personal philosophies.
This series looks beyond dashboards and frameworks to understand how CISOs actually operate: how they prioritize in the face of uncertainty, influence skeptical stakeholders, protect business-critical assets, and manage the psychological weight of knowing that unseen threats may already be probing the perimeter. Because modern cybersecurity leadership is not just technical; it’s strategic, political, operational, and deeply human.
In this edition of CISO Diaries, Siddharth Rajanna shares his candid perspective on vigilance, governance, offensive testing, and what it truly means to “ensure the organisation is not hacked.”
About the Interviewee: Siddharth Rajanna
Siddharth Rajanna is an accomplished IT Security Leader with more than 13 years of dedicated cybersecurity experience spanning governance, risk, compliance, offensive security, and large-scale security operations. He currently serves as Head of Cyber Security | CISO at BINGO Industries in Sydney, where he leads enterprise-wide cyber strategy, risk, and compliance initiatives aligned to frameworks such as PCI DSS and NIST CSF, third-party assurance, OT/SCADA security, and continuous security uplift programs.
With cross-industry experience across Telco, Mining, Retail, Aviation, Government, Education, and more, Siddharth combines deep hands-on technical expertise, ranging from XDR, Zero Trust, SIEM, vulnerability management, and cloud security, with executive-level influence and stakeholder management. Having evolved from security engineer to academic lecturer to executive security leader, he brings a balanced philosophy to cybersecurity: be humble, be street smart, and never lose sight of the organisation’s crown jewels.
How do you usually explain what you do to someone outside of cybersecurity?
Simple: “Ensure my organisation is not hacked and keep on top of regulatory/mandatory compliance without exceeding the budget where necessary.” But, to a completely non-techy person, like my wife: “My job is to worry and be suspicious of all IT systems and all people who work on those systems”.
What does a “routine” workday look like for you, if such a thing exists?
Nope. As a CISO, or rather in our cybersecurity world, no such thing as “routine” exists. The only ‘routine’ is anticipating new challenges across technology, people & processes.
What part of your role takes the most mental energy right now?
- Convincing stakeholders of existing & emerging security threats vs risks vs potential remediation.
- Enforcing authority to ensure critical gaps are ‘closed’ [Reminding stakeholders that security compliance controls are not just a tick in the box and the scope of each control needs to cover all in its remit]
- Also, solutioning concepts for challenges that cannot be addressed through conventional tech or process.
What’s one security habit or routine you personally never skip? (Work or personal.)
Work: Due diligence across critical security processes that protect business-critical assets/crown jewels. Daily reading on cybercrime, threats & new emerging security tech (especially AI these days).
Personal: Never user my smartphone to click on any links or attachments received, regardless of the source. Never comment on any security breach-related news without knowing all the details. Not on social media except for LinkedIn.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
As mentioned above, I am not on social media, so my attack-surface protection is not very demanding. The rest of the strategy is confidential.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
To be honest, its my experience in IT Security starting from my Bachelor’s degree in IT Security, working as a security engineer then back to academics for my Master’s degree in Security including teaching at Deakin University for a short while and then back on the band wagon working as security manager, consulting senior manager, executive security leader and finally now as a CISO.
Every step and jump has been a good teacher, some not so good experiences, and some amazing experiences working with some really smart and down-to-earth people. Overall, the lesson I have learnt in security leadership is to be humble but street-smart. After all, balance is critical.
What’s a lesson you learned the hard way in your career?
Complying with standard compliance framework controls is not sufficient to ensure adequate security, especially for crown jewels, which directly impact business resilience. And, dealing with bureaucratic people and the politics of it all, especially in some of the large enterprise organisations.
What keeps you up at night right now, from a security perspective?
Visibility of all threats and its vectors. The continuous, persistent fear that there could be a potential unauthorized access or a hacker who has found a way inside my org’s network without being aware of the intrusion.
How do you measure whether your security program is actually working?
Good Question.
The best way is to test against some critical threat vectors (continuous red teaming vs blue teaming). However, this is rarely achievable for various reasons, so I step back one step and ensure the right security products are in place to address the threat landscape and the ongoing uplift of the overall cybersecurity posture. Other critical tests include regular pentesting (internal pen testers), tabletop exercises, updating the Cyber Security Response Plans (and their associated playbooks), and phishing simulations.
I am not a fan of security metrics such as MTTR, MTTD, etc. These, I believe, are very superfluous. A very good measurement framework is to measure the actual maturity of all cybersecurity controls. For example, the NIST CSF lists some good maturity controls.
What advice would you give to someone stepping into their first CISO role today?
In a digitally disruptive world, with a lot of flux, issues, complex tech, and non-existent processes, the initial focus and key objective should be: “Ensure the organisation is not hacked.” Compliance, metrics, budget, management, and leadership all of this comes later. This ensures the new CISO will review critical assets that could have a direct business impact if compromised, and then slowly but steadily steer the security ship across all domains. A new CISO needs at least 5 to 8 months to get going, regardless of their prior experience at other companies.
What do you think will matter less in security five to ten years from now?
My response will be very conservative for this one. I think not much will change regarding “less attention or less traction” in the security world. Of course, the AI bubble will last, and with innovative new AI security solutions, we will have better, seamless automated workflows to respond to security alerts and contain incidents. But the security knowledge and the core security people will remain as is. In fact, we will need more security professionals to address AI-related threats and potentially quantum computing-related issues as we head into 2040.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Autonomous workflows for incident response, AI-based compliance models that can measure the overall compliance security framework implemented, automatically calculate the risks, and also remediate. Maybe quantum computing might disrupt our current levels of encryption standards, leaving us with new security challenges.
Maybe over the next 100 years, we might go back to books & ledgers secured in a massive metal safe, as anything on the ‘wire’ will be easily vulnerable to unauthorized interception.