In the fast-evolving world of cybersecurity, leadership is as much about people, judgment, and adaptability as it is about technology. CISO Diaries explores that human side of security leadership, giving readers an inside look at how top CISOs manage risk, make high-stakes decisions, and balance protection with business objectives. Through candid conversations, we examine routines, mental frameworks, and lessons learned, revealing the practices that help security leaders keep their organizations safe while enabling growth and innovation.
About the Interviewee: Alireza Sharifi
Alireza Sharifi is an experienced information security leader and acting CISO at Arvand Jahan Ara Steel Co. (AJS), with a strong foundation in software engineering, reverse engineering, penetration testing, and network protocols. Holding a Master’s degree in Computer Software Engineering, Alireza brings a deep technical understanding to his security leadership, coupled with a focus on governance, risk management, and team development. Known for his strategic mindset and hands-on expertise, he emphasizes proactive risk assessment, threat modeling, and AI-driven security approaches while ensuring operational clarity and efficiency across the organization.
How do you usually explain what you do to someone outside of cybersecurity?
I help the company run its business smoothly. Think of me as the one who maps the journey—I spot the potholes, detours, and bad weather ahead on our digital road, and then I help us plot the clearest, safest route to reach our goals.
What does a “routine” workday look like for you, if such a thing exists?
A ‘routine’ day—meaning a rare one without a major incident—is about balancing urgency, strategy, and people. It starts with triage: reviewing the highest-impact reports, whether they’re critical security alerts, shifts in compliance policies, or third-party risks. The morning then shifts to advancing our core security programs and removing operational hurdles for the team. By midday, the focus turns to analysis and alignment, often in meetings with senior leaders to translate business needs into security priorities and risk discussions. I wrap up by tackling documentation, reports, and planning. If a new initiative is launching, I’ll gather the team to define the tasks, deadlines, and—most importantly—hear their ideas and concerns. If time allows, I dedicate the last hour to reading or testing a new tool, because sharpening my own skills is key to leading the team effectively. That’s the ideal rhythm, give or take—before the next incident reshapes the entire day.
What part of your role takes the most mental energy right now?
Two things consume the most mental energy, and they’re deeply connected. First, the human architecture of the team: separation of duties, career paths, and workload. When you have brilliant technical experts, you’re not just managing tasks—you’re stewarding careers. Every decision about roles and responsibilities weighs heavily because I’ve been in their shoes. It’s a constant balance. Second, and directly tied to the first, is the budget and risk conversation with the business. Translating abstract, ‘maybe-someday’ risks into concrete investment cases is exhausting. You’re advocating for resources to prevent something that might never happen, knowing full well that if it does happen, the responsibility lands squarely on your shoulders.
What’s one security habit or routine you personally never skip?
Consciously analyzing threats from an attacker’s perspective. It’s less of a scheduled routine and more of a constant, subconscious mindset. I find myself automatically assessing behaviors and environments—both physical and digital—looking for the easiest point of entry, the most effective (not necessarily the most advanced) exploit. In work, this translates directly into threat modeling: connecting disparate dots to see the path an attacker would take. The habit isn’t something I ‘do’; it’s a lens I permanently look through.
What does your own personal security setup look like?
I could describe a maximum-security setup, but that would miss the point. Everyone’s privacy is paramount, and in security, we understand that discussing specific personal configurations can sometimes weaken them. So, I’ll answer this way: my setup is built on the foundational principles I advocate for—layered defense, rigorous access control, and continuous vigilance. For me, that’s good enough.
What book, podcast, or resource has influenced how you think about leadership or security?
People and lived experience. I’ve never found a single book or podcast that defines leadership or security for me. My real teachers have been my thirst for solving the security ‘puzzle’ itself, and the hard lessons from my own mistakes. You can’t learn leadership from a book—it doesn’t burn in you that way. For me, it was about observing mentors when I could, but more often, it was about analyzing every stumble and success. That process of continuous, often painful, learning is what forges a leader’s character. Books can provide frameworks, but your own experience writes the manual.
What’s a lesson you learned the hard way in your career?
The hardest lesson was learning the limits of my influence. Early on, I tried to convince people to see potential they weren’t ready to see or to follow a path I thought was right for them. I learned that no one is like you. You cannot force someone into a mold, even with the best intentions. Everyone has a unique path; they need to walk it, taste the outcomes, and gain their own perspective. Tied directly to that is a second, sobering lesson: you cannot make everyone happy. Believing you can is delusional and a recipe for exhaustion.
What keeps you up at night right now, from a security perspective?
Operationally, it’s the evolving sophistication of threats. But strategically, my biggest concern is budget—the constant fight for proactive investment. Which leads to the cynical thought that keeps me up: our most convincing business case might just be a headline-grabbing incident. (A dark chuckle follows that thought.)
How do you measure whether your security program is actually working?
Beyond standard metrics like DRP testing and MTTR, I measure success by fluency and friction. My true north metric is ‘Mean Time To Report’—not to an SLA, but to clarity. When I ask for a critical report or status on X, and the team delivers it correctly, without confusion or back-and-forth, that’s a powerful signal. It means everyone knows their role, the processes are understood, and the communication pathways work. If your team can seamlessly translate action into accurate information, you’re not just responding; you’re in control.
What advice would you give to someone stepping into their first CISO role today?
It anchors in one skill: listening. You have to listen to what you’ve learned on your own technical path. Be technical enough that your team respects and trusts you—you need to speak their language fluently. But you also have to learn how to ‘babysit’ the leadership, which speaks a completely different language. Your job is to translate technical risk into business impact, to provide assurance, and to manage expectations. If you can’t bridge that gap, you’ll fail, no matter how good your security is.
What do you think will matter less in security five to ten years from now?
Signature-based detection. Looking at the trajectories of quantum computing and AI, we’re heading for a different level of warfare. In ten years, we might have quantum-capable, AI-driven adversaries that can breach a network in minutes. There will be no time for a human-run playbook. Our entire model will have to shift from having a checklist to having an AI-driven protector—a system with ‘all the eyes everywhere,’ capable of deflecting attacks at the same speed. To even implement this, we’ll need fundamental changes: hardware-level security, kernel-level integration, and operating systems rebuilt to comply with and enable these autonomous defense systems.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Governance of AI and strategic architecture. I believe AI will be the ultimate force multiplier, taking over detailed, routine analysis and execution. This will free human experts to focus on the bigger picture: designing and maintaining more dynamic, resilient, and intrinsically secure architectures. Instead of spending cycles on manual design and low-level tasks, we’ll feed data to AI-driven systems to generate the most reliable, multi-perspective outcomes. Our core role will shift to auditing these AI ‘colleagues,’ ensuring their decisions are ethical and sound, and continuously improving the overarching security environment.