Cybersecurity leadership today is less about building walls and more about helping organizations make better decisions under uncertainty. In CISO Diaries, we speak with leading security executives around the world to understand how they navigate that reality: how they structure their days, make judgment calls under pressure, build trust across the business, and think about the future of risk. This series goes beyond breaches and tooling to explore the habits, philosophies, and operational realities shaping modern security leadership.
By focusing on the people behind the programs, CISO Diaries highlights a broader truth: effective security is often less about saying no and more about enabling progress safely. As the attack surface expands through AI, software supply chains, and increasingly dynamic digital ecosystems, the role of the CISO is becoming more strategic, more embedded in business governance, and more centered on resilience than ever before.
About Thomas Kopeinig-Gatterer
Thomas Kopeinig-Gatterer is Chief Information Security Officer at RUBICON IT GmbH, where he leads security strategy in a high-scale technology environment with a focus on aligning protection, business enablement, and risk management. His approach centers on helping organizations take risks intelligently, translating technical threats into business impact and ensuring security is embedded into decisions early, rather than added as an afterthought.
Known for his pragmatic and systems-oriented mindset, Thomas emphasizes that strong security programs are measured not only by controls and KPIs, but by resilience, cultural adoption, and whether teams make better security decisions without constant oversight. His perspective spans emerging risks such as identity compromise, supply chain threats, and AI-driven attack capabilities, while also reflecting a broader shift toward continuous assurance, governance, and proving the effectiveness of controls in an increasingly regulated world.
How do you usually explain what you do to someone outside of cybersecurity?
I usually describe my job as helping the business take risks intelligently rather than avoiding them blindly. Cybersecurity isn’t about saying “no”, it’s about enabling the company to operate safely in a hostile digital environment. I translate technical threats into business impact — revenue, reputation, security — and then work with leadership (CEO, COO, CFO, etc.) to make informed decisions about how much risk we’re willing to accept and where we should invest to reduce it.
What does a “routine” workday look like for you, if such a thing exists?
First things first – coffee, tea or any other beverage.
There’s structure, but rarely a fixed routine. My day typically shifts between strategic alignment meetings with executives, product teams, and legal, and operational tasks such as reviewing incident reports, threat intelligence, and key risk indicators.
I usually spend a significant amount of time unblocking teams, making prioritization decisions, and ensuring that security is embedded and enabled in business processes ahead of time rather than added afterward.
What part of your role takes the most mental energy right now?
Right now, the biggest mental challenge is balancing speed and security in an increasingly AI-driven world. It’s not so much about understanding the threats and vulnerabilities in detail, but about making high-quality decisions under uncertainty. The business expects rapid innovation, while the attack surface expands faster than traditional controls can keep up with.
What’s one security habit or routine you personally never skip? (Work or personal.)
One habit I never skip is making sure that controls actually work in practice, not just on paper. It’s easy to design processes, policies, and technical safeguards that look solid in theory, but the real test is whether they hold up in the real world. That means regularly challenging assumptions, testing controls end-to-end, and making sure that reality matches our expectations. This matters even more when people are involved, because you can’t fully predict how individuals will interpret, adapt to, or even bypass controls.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
Very pragmatic.
I use two password managers to store credentials, with a strict separation between personal and professional services. I enable MFA whenever possible (e.g. Yubikeys, Authenticator apps, etc.).
I also follow a classic 3-2-1 backup strategy.
Another key principle for me is assuming endpoints are untrusted by default, even within my home network.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I wouldn’t point to a single book, podcast, or resource. It’s really the result of continuous, lifelong learning — taking in a wide range of inputs over time and gradually connecting the dots. I believe it’s important to stay open to different perspectives rather than tying yourself to one “defining” influence too early. That’s how you develop your own perspective and judgment.
I particularly like podcasts because they are an easy way to explore new topics and perspectives. They fit naturally into everyday life and can be consumed “in the background,” especially during activities like endurance sports. They make it easy to keep learning without needing dedicated focus time, while still getting meaningful input that often leads to deeper exploration later on.
I enjoy listening to a mix of broader IT and digital policy discussions like Logbuch: Netzpolitik, as well as security-focused content such as Darknet Diaries, No Such Podcast, or SANS StormCast. I also like a lighter side to balance things out—shows like Verprügelt mit Drachen, Verprügelt mit Punchlines, or Gefühlte Fakten, which are great for switching off, laughing, and clearing my head.
What’s a lesson you learned the hard way in your career?
Perfect security is the wrong goal. Early on, I focused too much on completeness and technical rigor, which slowed down the business and eroded trust. The hard lesson was that an 80% solution that is adopted consistently is far more effective than a theoretically perfect one that teams end up working around or ignoring. Sometimes it simply makes more sense to sit down with the teams and consider the “why”.
What keeps you up at night right now, from a security perspective?
The convergence of identity compromise and supply chain risk is particularly concerning. Attackers are increasingly bypassing traditional defenses by exploiting trusted relationships —whether that’s through SaaS integrations, developer pipelines, or third-party vendors. Once trust is abused, it becomes significantly harder to detect, and the impact can spread much further.
Another factor is the current wave of AI development and tools, along with how quickly and wide capabilities are expanding for attackers. What we used to call “script kiddies” can now, with today’s toolset and a relatively small investment, carry out massive and potentially critical attacks.
How do you measure whether your security program is actually working?
I would split this question in two directions.
First, it’s about getting your indicators and KPIs straight, monitoring them and intervening. That’s the more traditional, textbook answer.
Then there is the other side:
I look beyond activity metrics and focus on outcomes such as reduced time to detect and respond, resilience during simulated incidents, and how well security is integrated into business workflows. Equally important is whether teams make better security decisions without constant oversight. That’s a sign that the program is scaling culturally, not just technically.
What advice would you give to someone stepping into their first CISO role today?
Stepping into a CISO role shouldn’t be seen as just the next logical step on a career ladder — It’s a fundamentally different job that requires a conscious decision to take it on. You move from being a technical or organizational expert or teamlead to being accountable for business risk, culture, and decision-making under uncertainty. It’s a wild ride — often ambiguous, occasionally uncomfortable, but incredibly rewarding if you fully commit to it. You’ll learn a lot, not only about security strategies and how businesses truly operate, but also about yourself: how you handle pressure, how you make decisions, and how you lead when there are no clear answers.
If possible, find a mentor early—someone who has lived through the role and can provide perspective when things get complex. At the same time, be very clear about your own expectations: what kind of leader you want to be, what trade-offs you’re willing to make, and what success looks like for you personally.
And then, once you’re in it — embrace the journey and enjoy the ride.
What do you think will matter less in security five to ten years from now?
One certain conclusion, given advances in AI, is that manual, reactive security operations will matter significantly less. The idea of large teams triaging alerts by hand is already breaking down under scale. Signature-based detection and perimeter-centric thinking will continue to lose relevance as environments become more dynamic and identity-driven.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Looking ahead 10 years, security teams will spend far more time governing complex ecosystems rather than simply protecting individual systems. A significant part of that shift will be driven by compliance and risk management. As regulatory pressure continues to increase globally, frameworks such as NIS2, DORA, CRA and industry-specific requirements will force organizations to formalize how they understand, document, and continuously monitor risk. Security teams will become deeply embedded in business governance, translating technical realities into auditable, defensible risk decisions.
At the same time, the rise of AI, third-party dependencies, and machine-to-machine interactions will make trust more dynamic and harder to verify, pushing teams toward continuous assurance models rather than periodic checks. In that world, security will be less about implementing controls and more about proving — both internally and externally—that those controls are effective, aligned with risk appetite, and resilient under real-world conditions.
