For many security leaders, the challenge is not identifying risks; it is deciding which ones deserve immediate attention and which can wait. Maurizio Imperadore has spent years operating at that intersection of technology, leadership, and business priorities. As Head of the Cybersecurity Team at Connect S.p.A. and a veteran network and telecommunications professional, he has witnessed firsthand how organizations must balance protection, operational efficiency, and the realities of modern digital transformation.
His perspective makes for a particularly interesting installment of CISO Diaries, our series exploring the routines, habits, and decision-making processes of security leaders around the world. Rather than focusing solely on tools and threats, these conversations examine how cybersecurity leaders navigate competing priorities, build security-conscious cultures, and prepare for what’s next. In this interview, Imperadore discusses why perfect security can sometimes become a business obstacle, the growing threat posed by AI-powered social engineering, and why future security teams may spend less time operating controls and more time governing intelligent systems. His answers offer a practical look at how modern security leadership increasingly revolves around enabling the business while keeping risk within acceptable boundaries.
How do you usually explain what you do to someone outside of cybersecurity?
I usually tell them I’m like a digital architect and a firefighter wrapped into one. My team and I build the digital walls and alarm systems to keep the bad guys out of our company’s and clients’ data. And if someone does manage to spark a fire, we are the ones who run in to put it out before anyone gets hurt.
What does a “routine” workday look like for you, if such a thing exists?
A truly ‘routine’ day is rare, but the structure usually revolves around balance. I start with a morning sync with my team to check our monitoring dashboards and review any incidents from the night before. The rest of the day is a mix of unblocking my team on technical hurdles, aligning with other department heads on upcoming projects, and dedicating time to strategic planning, making sure we are anticipating threats rather than just reacting to them.
What part of your role takes the most mental energy right now?
Context-switching and prioritization. As a team leader, I have to constantly pivot from high-level business strategy meetings to deep-dive technical incident responses. Filtering through the daily noise to ensure my team is focusing their energy on the risks that actually matter to the business takes a massive amount of mental bandwidth.
What’s one security habit or routine you personally never skip? (Work or personal.)
Verifying identity and context before acting on any unexpected request—what we call the ‘Zero Trust’ mindset in everyday life. If I get an urgent message or email from a colleague, a vendor, or even a friend asking for something unusual or quick, I always double-check through a secondary, out-of-band channel before clicking or replying. It takes five seconds but saves hours of regret.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I practice what I preach. I use a dedicated, reputable password manager with randomized, 16+ character passwords for every single account. Hardware-based MFA (like YubiKeys) is implemented wherever supported, supplemented by authenticator apps—never SMS. For backups, I follow a strict 3-2-1 strategy: three copies of data, across two different media types, with one stored securely offsite and encrypted. Device-wise, everything is fully patched automatically, and I utilize a privacy-focused DNS at the router level.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
On the leadership side, ‘Extreme Ownership’ by Jocko Willink heavily influenced how I run my team; it teaches you that everything that happens under your watch is ultimately your responsibility. For security culture and mindset, the ‘Darknet Diaries’ podcast is a fantastic resource. It does an incredible job of reminding us that cybersecurity is fundamentally about human behavior, psychology, and flaws, not just code.
What’s a lesson you learned the hard way in your career?
That perfect security is the enemy of good business. Early in my career, I thought my job was to block every single potential risk. I quickly learned that if you make security tools too restrictive, users will simply find clever, insecure workarounds to get their jobs done. Security must be an enabler, not a roadblock. It’s about managing risk, not achieving absolute zero risk.
What keeps you up at night right now, from a security perspective?
The weaponization of AI by threat actors to scale highly sophisticated, hyper-personalized social engineering attacks. Traditional phishing filters are struggling to catch up with perfectly written, context-aware emails and deepfake audio/video. The human element has always been the weakest link, and AI just gave attackers a massive upgrade to exploit it.
How do you measure whether your security program is actually working?
We look at a blend of technical resilience and operational metrics. Key indicators include Mean Time to Detect (MTTD) and Mean Time to Remediate (MTTR)—how fast can we spot a threat and kill it? However, we also measure human firewall strength through regular, realistic phishing simulations and tracking how quickly employees report suspicious activity. A drop in successful phishes and a spike in user reports is a clear sign the culture is working.
What advice would you give to someone stepping into their first CISO role today?
Stop talking about technical vulnerabilities and start talking about business risk. The board doesn’t care about the number of CVEs you patched this month; they care about financial loss, operational downtime, and reputational damage. Learn the language of the business, build strong relationships with CFOs and COOs, and treat security as a business driver.
What do you think will matter less in security five to ten years from now?
Traditional network perimeters and static passwords. The concept of ‘inside the corporate network’ is already dying, but in a few years, it will be completely obsolete. Furthermore, as passkeys and seamless biometric authentication become the global standard, the nightmare of managing, rotating, and phishing traditional text passwords will finally become a thing of the past.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Governing, auditing, and securing autonomous AI agents and automated supply chains. Instead of reviewing human-written code or configuring firewalls manually, security teams will spend their days managing the guardrails for AI systems that build and deploy software on their own. We will shift from being tactical operators to being risk orchestrators and algorithmic auditors.
