For Damien Mure, cybersecurity is as much about communication as it is about technology. As CISO at XWiki, he sits at the intersection of engineering teams, business leaders, customers, auditors, and regulators, often serving as the person responsible for ensuring that each group understands the others. That role has become particularly important as XWiki advances its security governance initiatives and ISO 27001 certification efforts while maintaining the transparency and collaborative culture that define open-source software.
His experience makes for a particularly insightful edition of CISO Diaries, a series that explores how security leaders actually operate behind the scenes. Rather than focusing only on threats and technologies, Damien’s perspective highlights the human side of cybersecurity: the importance of trust, clear communication, thoughtful prioritization, and bringing people along on the security journey. In this interview, he discusses the challenge of balancing structure with constant context switching, why “checkbox security” is losing relevance, and how AI is reshaping both the threat landscape and the future responsibilities of security teams. He also shares why some of the strongest indicators of a successful security program have less to do with dashboards and more to do with whether people genuinely want security involved in the conversation.
How do you usually explain what you do to someone outside of cybersecurity?
I often say that my job is to be the translator between everyone who touches cybersecurity, from the engineers to the board. My goal is to create a link between technical considerations and business management. I make sure everyone understands each other’s constraints so we can work toward a common goal
Cybersecurity can sound very technical from the outside, but a big part of the job is actually about people, decisions, habits, and trust. Of course, there are tools, systems, audits, controls, and regulations. But at the end of the day, my role is to help the organization operate safely without making security feel like a wall to everyone.
At XWiki, that also means finding the right balance between security, open-source transparency, and how our teams have actually built and supported the product for more than 20 years.
What does a “routine” workday look like for you, if such a thing exists?
I’m not sure if there is a fixed routine, but there are recurring themes.
Some days are focused on strategic topics such as risk reviews, policy evolution, new client security requirements, or supplier assessments.
Other days are more operational: Following up on security initiatives with teams, investigating incidents or events, improving inefficient processes, responding to customer security questions, or supporting audit preparation.
During the ISO 27001 certification project, the pace was especially intense. We had to move quickly while still doing things properly. Achieving certification in less than a year required aligning many stakeholders, documenting what needed to be documented, improving processes, and maintaining momentum without turning security into a burden.
In the end, it’s mostly about constantly switching between structure and firefighting, with a lot of context switching in between.
So, for me, a CISO’s “routine” is really about effectively navigating and organizing all of this.
What part of your role takes the most mental energy right now?
The hardest part is probably prioritization.
In security, there is always more you could do. More controls, more reviews, more documentation, more tooling, more monitoring, more awareness. But a good security program is not about doing everything at once. It is about understanding what matters most for the organization right now.
That takes mental energy because you need to stay realistic. You have to look at risks clearly, but without creating panic. You have to push for improvements, but without blocking the teams that also have other topics to work on. And you have to make choices that are good enough today while still moving toward something stronger over time.
What’s one security habit or routine you personally never skip? (Work or personal.)
I always double-check any incoming messages or solicitations addressed to me.
I try to stay vigilant by looking for basic warning signs, such as requests for money, password inquiries, or messages that create a sense of urgency or exploit curiosity.
When you combine the many personal data breaches worldwide with AI-powered attack scenarios, social engineering has reached a high level of sophistication and relevance. Anyone can fall for it, even cybersecurity experts.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
This setup has evolved over the years as my experience has grown.
Today, it includes:
- A password manager
- Passkeys
- Device data encryption
- Secure data backup and replication for my devices
- A clear separation between personal and professional use
The most difficult part is finding tools you can truly rely on, and assessing whether they might disappear or depend too heavily on external services or companies. I want to remain in control of my data and the tools I use. The open-source ecosystem aligns very well with this mindset.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
From my point of view, experiencing rough situations and difficult projects is the best way to reshape the way we want leadership to be lived (for ourselves) or applied (to others).
I won’t name a tool, but some human resources analysis tools help you to understand the way of thinking of the people you’re working with. This really helps you adapt how you say things depending on the audience.
But if I had to name one book, it would be The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win.
It is a great read because it shows that good leadership is about fixing processes, not blaming people. It also makes it clear that better teamwork and visibility naturally improve security. Overall, it’s an easy, practical way to see how IT and business success are closely connected.
What’s a lesson you learned the hard way in your career?
People tend to fear what they don’t fully understand. Misunderstandings and speculation need to be avoided, as they can undo months of work in just a few hours if they are not handled with clear communication. Never assume. Always check.
Security ultimately depends on people, so employees need to be properly engaged and brought on board.
What keeps you up at night right now, from a security perspective?
AI is accelerating vulnerability discovery and exploitation, especially in the open-source ecosystem where we operate. This shift needs to be taken into account and integrated into our analyses and processes.
On top of that, there are broader ethical AI considerations, such as environmental impact, privacy, and changes in employees’ roles. So there are definitely some busy nights ahead on these topics, but also a growing community of people ready to tackle them. Up all night, but not alone.
How do you measure whether your security program is actually working?
I use two complementary approaches to evaluate whether the security program is working.
First, a formal approach: I rely on clearly defined objectives, such as getting ISO 27001 certified, and KPIs. These are set with the management board, implemented with the teams, and tracked regularly over time. The goal is not just the numbers themselves, but understanding what they tell us and identifying meaningful trends.
Second, for a more informal approach, I look at day-to-day signals:
- Is the business asking for new security initiatives?
- Did we successfully close the last sales deal after completing a security questionnaire?
- Were we able to handle the latest incident as expected?
- Did employees complete training without constant reminders?
- Am I still invited to the after-work drinks?
Each “yes” is a small but meaningful indicator that the program is working.
What advice would you give to someone stepping into their first CISO role today?
Don’t rush.
Start by understanding the organization: What it does, what matters most, where the real risks are, how decisions are made, and where security already works well, or does not. Take the time to listen and understand the people you will work with, and stay humble.
Make sure you build a solid foundation so you can hold relevant conversations at any level of abstraction across security topics.
Keep learning continuously: Technical skills, hacking, human behavior, management, business context, legal and regulatory aspects. Be aware that you will never be the ultimate expert in everything, but rather a generalist who coordinates and enables highly specialized experts to work together effectively.
What do you think will matter less in security five to ten years from now?
I think many manual, repetitive security tasks will matter less, especially those that can be reliably automated, such as basic vulnerability scanning, alert triage, and compliance evidence collection. Security will also rely less on static controls and point-in-time assessments, because environments are becoming too dynamic for that to remain effective.
More broadly, I believe “checkbox security” will lose value compared to continuous, risk-based approaches that more closely reflect real business impact.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
I think security teams will spend much more time managing trust: trust in identities, suppliers, AI-generated content, software dependencies, data, and automation.
As AI becomes more present in everyday work, we will need to verify many things that previously felt implicit or obvious.
Security teams will also focus more on automating real-time risk management in highly dynamic environments, where systems change continuously and security must adapt instantly, rather than through long monthly projects.
