Cybersecurity leadership is often framed around incidents and technologies. But behind every framework, every escalation, and every high-stakes decision is a leader navigating uncertainty in real time. CISO Diaries explores that human dimension of the role: how today’s CISOs think, prioritize, communicate, and sustain operational resilience in an increasingly complex digital world.
In this edition, we speak with Jörg Scheiblhofe about balancing regulatory pressure with real-world risk, why security must be understood as a management discipline rather than a technical function, and how clarity of communication can be just as critical as any control or tool. His perspective reflects a pragmatic philosophy: security is not about eliminating risk; it is about enabling an organization to operate confidently in its presence.
About the Interviewee: Jörg Scheiblhofe
Jörg Scheiblhofe is Chief Information Security Officer at ORF, where he has served in leadership roles for nearly two decades and has been CISO since 2021. With deep expertise in IT security, information security management, IT management, and risk management, he focuses on ensuring the organization’s operational stability in the face of evolving digital threats.
He is known for his disciplined, risk-based approach to decision-making and his emphasis on clear, audience-specific communication. Viewing security as an integrated management responsibility rather than a standalone IT function, Jörg works closely with leadership and business units to make risks transparent, align resources effectively, and embed resilience into the organization’s strategic direction.
How do you usually explain what you do to someone outside of cybersecurity?
I usually describe my role as CISO by saying I am responsible for ensuring the organization can operate even in the face of digital risks. Information security is not an end in itself; it is a fundamental prerequisite for trust, stability, and reliable service delivery, both internally and externally.
More concretely, my task is to present cyber and information security risks transparently, assess their potential impact, and outline realistic courses of action. I explicitly see myself as a supporter and enabler of the business. It is not about blocking initiatives, but about making risks understandable and sketching feasible mitigation paths. Ultimately, deciding which option to pursue is a conscious business decision.
A central part of my role is also target-group-oriented communication. Security risks need to be conveyed in a way that is understandable, relevant, and actionable for management, business units, and operational teams alike.
What does a “routine” workday look like for you, if such a thing exists?
There is hardly such a thing as a routine in my role. While there is usually a plan for the day, it often must be adjusted at short notice due to emerging topics or events.
My workday consists of strategic steering, coordination with management and technical and business teams, risk assessment, and involvement in operational matters. Communication plays a major role in coordinating diverse stakeholders and translating complex issues into decision-relevant information.
In addition, the role requires continuous intake and assessment of new information, including emerging threat landscapes, relevant cybersecurity developments, and ongoing security incidents. Due to this dynamic, priorities can shift at any time, especially during security-relevant events or external factors.
What part of your role takes the most mental energy right now?
At the moment, the most mentally demanding aspect is balancing regulatory requirements, real threat scenarios, and the organization’s operational capabilities. It is about deploying limited resources in a way that actually delivers risk reduction.
What’s one security habit or routine you personally never skip? (Work or personal.)
I base all security-relevant decisions strictly on risk and facts and usually never on gut feeling. Consistently questioning assumptions and demanding reliable evidence is an indispensable habit for me.
What does your own personal security setup look like?
At a high level, I consistently use multi-factor authentication wherever possible, use different passwords (and I have lots of them), and clearly separate devices and contexts for different purposes. What matters to me is less the individual tool and more the discipline in using them and maintaining a healthy level of “IT-security paranoia.”
What book, podcast, or resource has influenced how you think about leadership or security?
My thinking has been shaped less by technical resources and more by literature on leadership, decision-making, and risk management. The most lasting impulses for a CISO often come from outside traditional IT security literature. Looking beyond one’s own field is essential to understand security not in isolation, but in its organizational and human context.
I regularly listen to podcasts, especially as a complement to my workouts. They allow me to absorb different perspectives and reflect on current topics, even though time is naturally limited.
Boxing has also played an important role in my life over the years. It teaches principles such as endurance, discipline, and the ability to cope with setbacks and emerge stronger, mindsets that are equally essential in a professional context.
There is also a parallel to security communication: a coach has only a few seconds between rounds to give critical instructions. I view my role similarly: filtering the essential from a wealth of information and conveying it clearly, concisely, and tailored to the audience.
What’s a lesson you learned the hard way in your career?
That formal responsibilities alone do not create security. Impact arises only when roles, responsibilities, and decision-making pathways are consistently understood and lived in day-to-day operations and when leaders accept information security as part of their own accountability.
What keeps you up at night right now, from a security perspective?
Not a single technical scenario, but systemic risks: complex dependencies, supply chains, human misjudgments under stress, and geopolitical developments that can have immediate effects on the cyber threat landscape.
How do you measure whether your security program is actually working?
Not by KPIs alone, but by effectiveness: Are risks identified early? Are incidents managed without destabilizing operations? Are decision paths clear? Metrics are important, but they must be embedded in an overall context.
What advice would you give to someone stepping into their first CISO role today?
Even if it sounds obvious, the most important first step is to deeply understand the company’s business model, organizational culture, and decision-making logic. Without this foundation, information security remains an abstract concept with limited impact.
Equally essential is understanding that the CISO’s role is not to eliminate risks entirely because absolute security is unattainable. The goal is to make risks transparent, manage them purposefully, and work with the business to make well-informed decisions about their acceptance or treatment.
What do you think will matter less in security five to ten years from now?
From my perspective, tool-focused discussions and isolated technical solutions without strategic context will lose importance. Security will increasingly be understood as an integrated management discipline and not an isolated IT function.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will dedicate significantly more time to security governance, risk alignment, resilience planning, and supporting strategic business decisions. Technical measures will remain important but will be more automated and standardized.