Alessio Cipolletta leads cybersecurity and ICT at Atitech S.p.A., operating in an environment where security is inseparable from safety and reliability. With a background spanning business administration and a Master’s in Cybersecurity, he brings a rare blend of governance, risk management, and operational execution to complex, regulated aviation systems. His experience implementing frameworks such as ISO/IEC 27001, NIS2, and EASA PART-IS is especially valuable for CISO Diaries, helping illustrate how security leadership functions when compliance, resilience, and operational continuity are not abstract goals, but daily requirements.
In this conversation, Cipolletta reflects on the constant balancing act between business needs and security demands, and why true protection depends on aligning people, processes, and governance, not just technology. He shares his perspective on supply chain risk, the growing importance of security by design, and why reactive security approaches are becoming less viable in modern enterprises. His approach highlights a shift in the CISO role toward strategic resilience, where success is measured not only by control effectiveness but by how seamlessly security enables the business to operate under pressure.
How do you usually explain what you do to someone outside of cybersecurity?
I ensure organizations can operate safely in a digital world by protecting systems, data, and managing risks, especially in regulated environments where security supports safety and compliance.
What does a “routine” workday look like for you?
There’s no real routine. My day blends strategy and operations: monitoring security posture, aligning with teams, managing risks, and supporting compliance and audit readiness.
What part of your role takes the most mental energy right now?
Balancing security with business needs in a constantly evolving threat landscape, while aligning technical and business stakeholders.
What’s one security habit or routine you personally never skip? (Work or personal.)
Staying aware of what’s happening in the environment, such as regularly reviewing alerts and signals from critical systems.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
A layered approach:
- Password manager
- MFA everywhere possible
- Encrypted devices
- Regular backups (including offline)
- Separation between personal and work environments
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
Concepts around resilience and decision-making under uncertainty, seeing security as a business enabler, not just a control function.
What’s a lesson you learned the hard way in your career?
Technology alone isn’t enough. Security requires alignment between people, processes, and governance.
What keeps you up at night right now, from a security perspective?
Supply chain risk and third-party dependencies, especially in regulated and safety-critical environments.
How do you measure whether your security program is actually working?
Risk reduction, detection, and response effectiveness, compliance outcomes, and improved user awareness.
What advice would you give to someone stepping into their first CISO role today?
Understand the business, build relationships, focus on risk, and accept that prioritization is essential.
What do you think will matter less in security five to ten years from now?
Purely reactive security approaches.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
- Supply chain security
- Security by design
- Governance and compliance
- Automation and AI
The role will become increasingly strategic, with a strong focus on resilience.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.