Cybersecurity is often viewed through the lens of tools, frameworks, and incident response, but in practice, it is shaped just as much by people, context, and everyday decisions. In CISO Diaries, we explore how today’s security leaders navigate this complexity in real time. This series goes beyond theory to understand how CISOs think, operate, and lead, balancing structured security frameworks with the unpredictability of human behavior and evolving business needs.
By focusing on routines, habits, and leadership philosophy, CISO Diaries highlights the reality that effective security is not just engineered; it’s lived. From informal conversations that reveal hidden risks to high-level strategic decisions, modern security leadership is as much about awareness and adaptability as it is about control. Because in today’s organizations, resilience is built not only through systems, but through understanding how people, processes, and technology truly interact.
About Rocco Barra
Rocco Barra is a seasoned cybersecurity and technology executive with over 15 years of experience operating at the intersection of IT systems, security, and business transformation. He currently serves as Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) at Aeromeccanica Stranich S.p.A., where he leads both the strategic direction of IT and the governance of cybersecurity risk across the organization.
With a strong foundation in integrating complex digital ecosystems, including ERP, PLM, cloud infrastructure, and SaaS platforms, Rocco brings a systemic, end-to-end view of how technology supports business operations. His dual role enables him to align security with production workflows, operational continuity, and long-term growth initiatives. Known for his pragmatic and people-centric approach, he emphasizes governance, real-world context, and continuous adaptation, ensuring that security is not just a control function, but a driver of resilience and business value.
How do you usually explain what you do to someone outside of cybersecurity?
I usually try to simplify things as much as possible and meet people where they are. Instead of going into technical details, I use everyday examples, like comparing cybersecurity to locking your house, being careful about who you let in, or recognizing suspicious situations in daily life.
My goal is to lower the communication barrier, not raise it. I avoid creating unnecessary alarm or fear, and instead focus on making people feel comfortable and aware. By using familiar, real-world scenarios, I help them understand that security is not something abstract or intimidating, but something practical and manageable in their everyday routines.
What does a “routine” workday look like for you, if such a thing exists?
There isn’t really such a thing as a “typical” day in my role; there are too many domains to cover and just as many evolving needs to respond to. That said, there is one constant in my day, and it might sound very Italian: the coffee break. I consider it a fundamental moment, not just socially but strategically. I use that time to connect with people, listen carefully, and pick up on moods, concerns, and unspoken challenges. Being physically present and accessible allows me to understand what’s really happening across the organization, what people are worried about, where friction exists, and what might not be working as expected. Those insights are invaluable because they help me shape decisions, guide improvements, and introduce changes that are grounded in real needs rather than assumptions. In a role like mine, those informal moments often provide more clarity than any formal report.
What part of your role takes the most mental energy right now?
What consumes the most mental energy right now isn’t a single task, but an entire domain: evaluation and adaptation.
In this role, there’s no universal blueprint you can apply everywhere. Every situation requires its own assessment: context matters, people matter, and so do the specific risks involved. At the same time, whatever decisions you make need to align with a consistent and unified security framework across the organization.
Balancing these two forces, handling each case as unique while still maintaining coherence and standardization, is the most challenging part. It requires constant judgment, flexibility, and the ability to adapt without losing structure.
What’s one security habit or routine you personally never skip? (Work or personal.)
For me, it’s less about a specific tool or action and more about mindset. I never skip maintaining a security-oriented way of thinking.
Over time, I’ve developed mental models that I apply consistently in both my professional and personal life. These are recursive patterns for analyzing situations, defining boundaries, and breaking problems down into structured blocks.
This approach helps me stay clear-headed and consistent, regardless of the context. Whether I’m evaluating a risk, making a decision, or dealing with an unexpected situation, I rely most on these mental frameworks.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I’d link this closely to my previous answer: my personal security setup is driven primarily by mindset rather than just specific tools.
Having a security-oriented way of thinking pushes me to maintain consistently high standards across everything I use. This means applying best practices such as strong authentication, careful device management, and reliable backups, while always guided by a broader principle.
At the core, I pay particular attention to how information is shared. Information sharing is often the most underestimated risk, so I treat it as a foundational layer to manage carefully. Every tool or control I adopt, whether it’s a password manager, MFA, or secure storage, aligns with that principle of minimizing unnecessary exposure while maintaining usability.
In short, it’s not just about the setup itself, but about the discipline and awareness behind how it’s used every day.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
My perspective hasn’t been shaped by a single book or podcast as much as by firsthand experience in the early days of IT security. I started in an environment where most of the tools and frameworks we now take for granted simply didn’t exist. Problems couldn’t be solved by buying a solution; they had to be studied, tested, and validated from first principles.
A defining moment was the emergence of the first ransomware attacks. That was a turning point: it became clear that reactive security, patching after the damage, is fundamentally insufficient. It forced a shift toward preventive strategy, risk anticipation, and resilience by design.
That experience still guides my leadership approach today: security is not a product or a checklist, but a continuous, forward-looking discipline that requires critical thinking, adaptability, and the ability to operate with incomplete information.
What’s a lesson you learned the hard way in your career?
One of the hardest lessons I’ve learned is that the weakest link is almost always the human factor.
Not because people are careless, but because human behavior is influenced by variables you can’t fully control, or standardize things like stress, timing, context, or even something as simple as the day of the week or the period right before holidays.
You can design strong systems and define clear processes, but people won’t always respond in predictable ways. That’s why I’ve learned to treat the human element as the primary area to understand, support, and continuously improve, rather than something you can simply “fix” with rules or technology.
What keeps you up at night right now, from a security perspective?
Right now, my primary concern is the rapid expansion of AI within organizations. There is a widespread perception that everyone understands the rules of engagement, governance, compliance, and basic safeguards, but in reality, very few are truly addressing the full security perimeter.
What worries me is the tendency to stop at the first layer of results: integrating AI tools quickly without deeply assessing their implications on data exposure, model integrity, and long-term risk. There is still a lack of structured thinking around short- and medium-term strategy.
From a CISO/CTO standpoint, the challenge is not just adopting AI but governing it effectively, ensuring visibility, control, and resilience throughout the entire lifecycle. The gap between perceived readiness and actual preparedness is where the real risk lies.
How do you measure whether your security program is actually working?
I measure the effectiveness of a security program through a structured framework of controls, validations, and continuous analysis.
There isn’t a single metric that tells the full story. Instead, I rely on multiple data points, each one providing a specific perspective. Individually, they offer useful insights, but when aggregated into a broader control framework, they create a much clearer picture of the overall security posture.
This approach not only helps assess how well the program is performing today, but also provides early signals of potential issues. In some cases, it allows for a proactive response before risks fully materialize, which is ultimately one of the key goals of any effective security program.
What advice would you give to someone stepping into their first CISO role today?
My main advice would be to understand that the CISO role today is truly cross-functional; it extends far beyond just IT security.
A CISO is not only responsible for protecting systems, but for understanding how the entire organization operates: its processes, workflows, and ways of working. Security cannot be applied in isolation; it has to be integrated into the business.
The more you understand how information flows, how decisions are made, and how people actually work, the more effectively you can apply cybersecurity in a way that supports, not slows down, the organization.
In short, don’t start with technology; start from the business, and build security around it.
What do you think will matter less in security five to ten years from now?
I believe that the importance of the device itself will continue to decrease over the next five to ten years. We’ve already seen this shift: devices are becoming more standardized, more controlled, and, in many cases, less central to the overall security strategy.
What really matters is the data and how it moves, not the specific endpoint being used to access it. In that sense, the data that tends to be less at risk is often the one we already know, manage, and have under control.
The real challenge, and where attention will increasingly focus, is on data in motion, data sharing, and the context in which information is accessed and used, rather than on the device itself.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Looking ahead 10 years, I believe security teams will spend a significant amount of time on two major fronts: managing legacy systems and governing AI’s evolution.
Legacy environments will remain a critical challenge. In many organizations, they are deeply intertwined with core business operations and production processes. You can’t simply replace or isolate them without impacting the business itself. This makes their security management delicate and complex. Today, there’s a tendency to overlook or postpone this issue, but as technology continues to evolve, legacy systems will become an even greater risk and require dedicated attention. At the same time, AI is being introduced everywhere at a very aggressive pace. However, far fewer organizations are thinking long-term about how to properly manage, secure, and integrate it. Questions about governance, lifecycle management, reliability, and control remain largely unaddressed.
In the future, security teams will need to balance these two extremes: protecting what is old but critical, and controlling what is new but not yet fully understood.
