Cybersecurity is often reduced to checklists, frameworks, and dashboards, but the reality is far more complex. In CISO Diaries, we explore what security leadership actually looks like behind the scenes: the constant trade-offs, the shifting priorities, and the responsibility of making decisions in environments where certainty is rare. This series goes beyond surface-level discussions to examine how CISOs think about risk, how they communicate it, and how they ensure security supports (not hinders) the business.
At its core, CISO Diaries is about clarity. It’s about understanding how security leaders cut through noise, challenge assumptions, and navigate the gap between what looks secure on paper and what is actually resilient in practice. Because in today’s landscape, the real challenge isn’t just defending against threats; it’s avoiding the illusion of safety while building systems that can adapt, evolve, and endure.
About Nikolas Oelkrug-Alders
Nikolas Oelkrug-Alders is Chief Information Security Officer at ARZ Haan AG Unternehmensgruppe, bringing a multidisciplinary background that spans technology research, aerospace development, power generation, and financial services. Known for his ability to translate experience across industries, he combines academic thinking with practical, real-world application to build security approaches that are both effective and adaptable.
A critical thinker and creative problem solver, Nikolas is recognized for challenging conventional approaches and focusing on pragmatic risk reduction across technical, organizational, and human dimensions. His leadership philosophy emphasizes transparency, adaptability, and a deep understanding of how businesses operate, ensuring that security initiatives align with real-world processes rather than adding unnecessary complexity.
How do you usually explain what you do to someone outside of cybersecurity?
I usually keep it simple and don’t even stress the word ‘cyber’ as it deflects from the actual asset in focus. My job is to keep important information in the company safe, so people and processes can work reliably. I don’t like to think in narrow boxes like ‘just hackers’ or single attack vectors, but in overall risks to information, whether technical, organizational, or human, and how we reduce them in a pragmatic way.
My late grandmother was convinced my job was to stand in front of a bank with a weapon, because of the word security. In a sense, she was right: I do security, but my ‘weapons’ are technical tools, a clear strategy, and raising awareness so everyone in the organization becomes part of the protection.
What does a “routine” workday look like for you, if such a thing exists?
The interesting thing about my job is that there is almost no real ‘routine’. Things change fast, and a new zero‑day or incident can instantly reshuffle my priorities. I usually start the day by looking at our security dashboards and overnight alerts to see whether anything needs immediate action. A big part of my time then goes into working with different parts of the organization: understanding their processes, constraints, and how they actually create value. Only if I really understand how a department works can I improve its security posture in a way that fits and doesn’t just add bureaucracy. The rest of the day, I try to reserve for more strategic work: refining our roadmap, improving policies and controls, and preparing the reports and decisions that keep management informed.
What part of your role takes the most mental energy right now?
Right now, most of my mental energy goes into balancing compliance and business enablement. On one side, I have to make sure we meet regulatory and audit expectations; on the other side, I need to shape security initiatives so they don’t slow the business down but actually support its processes. In a mid-cap environment that’s challenging, because the role is both strategic, setting direction and governance, and very operational, being close to projects and incidents to make pragmatic trade-offs.
What’s one security habit or routine you personally never skip? (Work or personal.)
One habit I never skip is locking my devices the second I step away: laptop, phone, everything. At a previous company, we had the tradition of sending ‘Cake for everyone’ emails from any unlocked computer, and that very quickly trained me to treat an unlocked screen like a crime scene, in the best possible way.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
At a high level, my setup is pretty complete: password manager, MFA wherever possible, encrypted devices, and regular offline and cloud backups for the important data. On top of that, I run a small lab at home where I deliberately play with badly configured or intentionally vulnerable web servers and honeypots in a segmented environment to experiment with the ‘security no‑gos’ we strictly forbid in the business world and remind myself why our rules are so rigorous.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I don’t really have a single ‘guru book’ or podcast. What influences me most is deliberately exposing myself to many different perspectives inside and outside the CISO bubble. I try to network broadly and not over‑optimize for our own industry because you can learn as much from a conversation at the local discount store or your kids’ school as from a security conference.
However, in terms of role models, one story that shaped how I think about ethics and responsibility is Roger Boisjoly’s stance before the Challenger launch, an engineer who tried to stop a mission he believed was unsafe and later spoke openly about the pressures and failures in that system. I was lucky enough to witness him in my first year of studies at my university in Canada.
Combined with a few former managers who pushed me to broaden my view beyond pure ‘cyber’, that mix strongly influences how I think about leadership and security today.
What’s a lesson you learned the hard way in your career?
Relatively early in my career, I had the opportunity to lead a large project: big team, lots of responsibility, and regular reporting to the executive board. I’m sitting in the CFO’s office, walking him through my status report, and I can already feel that what I’m saying is not really landing. He leans back and says something like: ‘This doesn’t match the numbers we’re seeing from the project.’
Then he takes my report apart point by point. Not because I had lied, but because I had sugar‑coated things. I wanted to protect my team, maintain harmony, and avoid exposing individuals. The problem is: that’s not always the job of a leader – especially not in information security. Our job is to be transparent about risks and issues, even when it’s uncomfortable, because otherwise decision‑makers act on false assumptions, and that is far more dangerous than any hard truth.
That meeting was brutally uncomfortable, but it burned one lesson into my thinking: loyalty to the team must never come at the expense of honesty towards executive management – particularly when it comes to risk.”
Direct answer to the question: So the hard lesson I learned was that trying to ‘protect’ people by softening the truth actually undermines trust and leads to worse decisions. As a security leader, I now consciously choose clarity over harmony in my communication with executives – respectfully, but without sugar‑coating, because that’s the only way they can take real ownership of risk.
What keeps you up at night right now, from a security perspective?
What really keeps me up at night is the illusion of safety: the moment when everyone thinks “we’re fine” because the checklist is green. You can never be 100% secure, and being compliant on paper does not mean you are actually protected in practice.
What worries me most are the unknowns and blind spots behind that illusion: a combination of legacy systems, small misconfigurations, and very human mistakes that slip through despite all the frameworks and audits. In other words, the gap between the risk picture we present in reports and the messy, dynamic reality attackers see when they look at the organization.
How do you measure whether your security program is actually working?
There is no single magic KPI; measuring security is about watching whether risk is actually trending in the right direction over time. On the surface, some things have become easier, for example, measuring awareness through phishing simulations, training completion, or reporting rates.
More important to me, though, is filtering all the noise (vulnerability counts, alerts, findings) down to the subset that really matters for our crown jewels and seeing whether we are reducing that over time and keeping it down. If the high‑risk vulnerabilities, relevant incidents, and risk indicators are moving in the right direction and stay there despite new projects and changes, that’s when I feel the program is actually working, not just generating pretty dashboards.
What advice would you give to someone stepping into their first CISO role today?
For someone stepping into their first CISO role, I’d start with this: don’t try to secure everything. Instead, get obsessed with understanding your crown jewels and the business processes behind them. Spend your first months listening, mapping how the company really works, and building a clear picture of what you absolutely must protect and what ‘good enough’ looks like elsewhere.
From there, define a simple target picture and a few concrete next steps. Otherwise, it’s very easy to get lost in the complexity of frameworks, tools, and expectations. And for your own sanity, keep simplifying: if you can’t explain your priorities and trade‑offs in plain language to the business, they’re probably too complicated to execute sustainably.
What do you think will matter less in security five to ten years from now?
I’ll probably get some raised eyebrows for this, but I think the buzzword ‘AI’ as a differentiator will matter less in five to ten years. Not because AI goes away (it will be everywhere) but because it becomes just another layer of tools and platforms, not the thing you build your security strategy around.
What will matter more is how adaptable your whole approach is to new risk fields: AI abuse today, quantum‑enabled attacks tomorrow, and whatever comes next. That means rethinking our tools, architectures, and playbooks so they’re less tied to a specific hype cycle and more focused on quickly understanding new threats and folding them into a flexible, risk‑based model.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Looking ten years ahead, I believe security teams will spend much more time on managing cyber risk like financial risk, quantifying it, steering it, and discussing it as a standard part of business decisions. Ideally, IT and cyber risk will be as widely accepted and comparable as credit or market risk, so C‑suites use them as real steering parameters rather than treating them as a separate technical topic.
To get there, security teams will have to invest far more time in understanding business models and revenue streams, learning to speak the language of value and trade‑offs rather than controls and CVEs. In other words, less time explaining ‘what a vulnerability is’ and more time helping leadership choose between different risk‑and‑return options in a way that is as disciplined as today’s financial risk management.