Oleksii Lukin is CISO and Head of IT Security at Ukrposhta, Ukraine’s largest postal and logistics organization, operating over 12,000 branches and serving millions of citizens across critical mail, financial, and government-adjacent services. In this environment, where continuity of operations is tightly linked to national resilience, his role extends far beyond traditional cybersecurity. He is responsible for identifying risk across a vast, distributed infrastructure and ensuring that security is embedded not just in systems, but in daily operational behavior across a workforce of tens of thousands.
His experience securing essential national services under high operational pressure is especially valuable for CISO Diaries, where we explore how security leaders actually translate risk into action in complex, real-world environments. In this conversation, Lukin shares a grounded view of cybersecurity shaped by discipline and accountability: that most incidents are not the result of advanced attacks, but of small operational failures, process gaps, and human behavior. He reflects on the challenge of aligning large organizations around security requirements, the importance of measurable behavioral change, and why managing people and culture often matters more than managing technology.
How do you usually explain what you do to someone outside of cybersecurity?
My role is to identify and assess risks facing the organization and propose practical ways to mitigate them. In a country at war, this often goes far beyond the traditional boundaries of information security and extends into operational and organizational resilience as well.
What does a “routine” workday look like for you, if such a thing exists?
There are still operational processes that cannot yet be fully automated. In addition, we regularly analyze incidents and collect statistics based on criticality, type, impact, geographic location, and other factors. This allows us to continuously adjust our security strategy and adapt to changes within the company and the external threat landscape.
What part of your role takes the most mental energy right now?
Aligning other departments around security requirements and making security part of the operational culture. Once clear accountability and disciplinary responsibility for violating security policies were introduced, adoption improved significantly.
What’s one security habit or routine you personally never skip? (Work or personal.)
Multi-factor authentication — always. Whenever possible, I prefer adding an additional factor beyond the standard MFA approach.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I understand the value of password managers, especially at scale. Personally, I use my own methodology for memorizing long, unique passwords exceeding 20 characters, combined with MFA, backups, and device-level security practices.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
My mindset was heavily influenced by the books of Napoleon Hill, which my father introduced me to when I was young. Technical literature helped build hard skills, but Hill’s work had a major impact on the way I think about leadership, discipline, and long-term goals. I was also influenced by declassified materials describing military intelligence and operational methodologies.
What’s a lesson you learned the hard way in your career?
Managing people is probably the most difficult part of the job — but I believe that is true in any field. Technology problems are often easier to solve than human and organizational challenges.
What keeps you up at night right now, from a security perspective?
In reality, most incidents are not caused by some kind of “super hacking.” During investigations, we usually discover much simpler root causes: systems not patched on time, violations of established procedures, weak operational discipline, or simple user naivety. Everything else is mostly a matter of technique.
How do you measure whether your security program is actually working?
We measure effectiveness by tracking trends and reductions in repeat incidents. For example, the number of incidents involving the disclosure of sensitive user information decreased ninefold since October 2025. For me, measurable behavioral change is one of the clearest indicators that a security program is working.
What advice would you give to someone stepping into their first CISO role today?
Listen to the people around you. Build your decisions around a risk model — and if one does not exist yet, create it. Work closely with both users and administrators. Educate them continuously. These may sound like general recommendations, but based on our own statistics, human behavior remains the source of the overwhelming majority of incidents.
What do you think will matter less in security five to ten years from now?
It is difficult to say what will become less important. For example, AI already allows attackers to identify and test exploits against vulnerable systems dramatically faster than administrators can realistically patch them. At the same time, fully automated AI-driven patching remains difficult because it can easily disrupt business logic and operational stability. So I would be cautious about predicting what will disappear — but it is much easier to predict what new challenges will emerge.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
I believe security teams will spend much more time adapting and governing AI-driven capabilities within SIEM, DLP, EDR, and other security platforms. At the same time, teams will likely face an enormous increase in false-positive incidents generated by increasingly autonomous detection systems. Managing trust, validation, and operational efficiency around AI-generated alerts will become a major focus area.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.