Cybersecurity leadership is often framed through frameworks, tools, and breaches, but we rarely see how leaders operate day-to-day. CISO Diaries was created to pull back the curtain on what it really means to lead security in modern organizations.
The series explores the routines, decision-making, mental load, and personal philosophies of leading CISOs, revealing how they balance protection, innovation, and operational speed. By spotlighting their experiences and habits, CISO Diaries gives readers an unfiltered look at the human side of cybersecurity leadership, where judgment, resilience, and clarity matter just as much as technology.
About the Interviewee: Aner Izraeli
Aner Izraeli is a senior information security officer and enabler with deep expertise across architecture, engineering, and operations in the cybersecurity industry. He currently serves as CISO at Torq, where he leads security strategy for a rapidly scaling startup and drives visibility, automation, and AI-based security operations. Aner is a coder, podcast co-host, and advocate for embedding security as a foundational enabler rather than a brake on growth. Known for his practical, risk-focused approach, he emphasizes clarity, real-time visibility, and building strong security foundations that allow fast-moving companies to scale safely.
How do you usually explain what you do to someone outside of cybersecurity?
I help the company move fast without tripping over itself by putting computer security bumpers in place.
Those bumpers are simple protections for cloud systems, laptops, and software, so people can work freely without creating significant risks.
Bumpers may sound bad marketing-wise, but frankly, they’re not brakes — they’re lane markings. You can still drive (work) fast, just without ending up in a ditch.
What does a “routine” workday look like for you, if such a thing exists?
Luckily, there isn’t really a routine in my workday — and that’s exactly what I enjoy about it.
Every day looks a bit different: one day I’m collaborating with engineering or IT, another day I’m solving unexpected problems or thinking ahead about risks and growth. That constant change and variety are among the main reasons I’m drawn to the startup world.
What part of your role takes the most mental energy right now?
Fortunately, I’ve been privileged to be at this point where Torq scales and grows. Hence, the most significant mental shift for me right now is adjusting my mindset as the company grows.
Scaling means building the right team while continuously reassessing risk as complexity increases — more people, more systems, more processes, and more dependencies. The challenge is making sure everything grows in balance, so speed and innovation don’t introduce unnecessary or hidden risks.
As the company scales, almost everything changes at once: how decisions are made, which systems we rely on, and how risk surfaces. What works well at a very small stage doesn’t always scale cleanly, and new risks naturally emerge as the number of tools and moving parts grows.
I’ve been at Torq for almost four years — I was the very first employee back in 2022, and today, in 2026, we’re a team of six, including IT. Being part of this growth is something I’m genuinely humble and excited about, because scaling responsibly means building strong foundations early so the company can keep moving fast without paying for it later.
What’s one security habit or routine you personally never skip? (Work or personal.)
I’m a firm believer that security comes from staying ahead of the trend, not just reacting to it. At work, my non-negotiable habit is pushing to iterate and evolve, combined with a deep dive into new tech notions to keep ‘knowledge firewall’ strong.
What does your own personal security setup look like?
I’m thinking about my security setup in terms of principles, with visibility as the foundation.
For me, security starts with knowing what exists, what’s happening, and what “normal” looks like. You can’t meaningfully reduce risk if you don’t have accurate visibility into identities, devices, access, and activity. That belief guides every decision I make.
When I choose security controls, my primary criterion is whether they improve visibility in a meaningful way – whether they help surface risk, reduce blind spots, and produce signals I can actually act on. I prioritize clarity over complexity and accuracy over volume, so that anomalies stand out rather than get lost in the noise.
At a high level, my setup combines automation and AI agents Torq based with strong telemetry and correlation. Centralized logging and analysis (SIEM) give me behavioral visibility across environments, while endpoint detection and response (EDR) and CNAPP provide deep insight into execution, posture, and abnormal activity at the device and cloud levels.
Identity visibility is a core focus – not just for human users, but also for non-human identities like service accounts, tokens, and integrations, which are often the least visible and highest risk. In parallel, I maintain visibility into my SaaS and cloud configurations through SSPM, so configuration drift and excessive permissions are surfaced early rather than discovered after the fact.
That visibility extends beyond my own environment into third-party risk management, where I continuously track external dependencies and their security posture instead of treating vendor risk as a periodic checkbox exercise.
AI agents play an active role in operations and threat hunting – continuously analyzing signals from the SIEM, EDR, identity, and SaaS layers, establishing baselines, and highlighting deviations that warrant investigation. This allows me to stay proactive rather than alert-driven.
The system is designed to make unexpected behavior obvious: unusual access patterns, new assets or identities, execution anomalies, configuration changes, or shifts in third-party risk. Prevention matters, but detection, context, and understanding enable me to respond effectively when something does go wrong.
In short, my personal security mirrors how I approach security professionally: start with visibility, scale it through automation and agents, and then apply controls intentionally to address real risk.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
Over the past few months, one of the biggest influences on how I think about leadership and security has actually been starting a podcast of my own, together with two close friends and fellow Israeli CISOs, Amit Speitzer and Esther Pinto.
Hosting the podcast and speaking with a wide range of security leaders has been incredibly influential for me. Preparing for conversations, listening deeply to different perspectives, and hearing how people lead through complexity, uncertainty, and failure have shaped how I think about leadership far more than any single technical resource. It’s forced me to be more reflective, curious, and humble in my own approach.
Recently, I’ve also started listening to entrepreneurship-focused podcasts. I’ve been thinking more about building – products, teams, or companies – and learning how founders think about risk, resilience, and long-term vision has been very relevant to how I view security leadership as well.
On a more personal level, the past two years in Israel have deeply affected how I think about perspective and proportion in life. I recently read the book by Eli Sharabi, who was held hostage by Hamas and released last year. His account of captivity – while incredibly difficult – was ultimately a story of resilience, leadership under extreme conditions, and maintaining humanity in impossible circumstances.
That book gave me a strong sense of proportion. It reframed how I think about pressure, decision-making, and what truly matters when things go wrong. It’s been a powerful reminder that leadership – whether in security or elsewhere – is ultimately about people, resilience, and moral clarity, not just systems and processes.
What’s a lesson you learned the hard way in your career?
Shortcuts are the devil! I learned the hard way that shortcuts are rarely real shortcuts. Early in my career, 10 years ago, as a tech integrator, I used to work and move fast, which led to mistakes that caused customer downtime. Whether it was running a destructive Linux command without sufficient validation or reusing detection content without fully adapting it to the environment, the cost of speed outweighed the cost of doing it right.
That lesson shaped how I work today – these kinds of errors are shaping!
What keeps you up at night right now, from a security perspective?
My 3 young kids.
Except that, in fact, the constant thought is, am I doing enough to not miss what I don’t know? What are those stones that I need to turn over, and haven’t yet turned over? How can I make my team happier, more efficient, and continuously better?
How do you measure whether your security program is actually working?
I define KPIs and OKRs that map directly to current and emerging risks, and I revisit them regularly as the threat landscape and the business evolve. The goal is simple: prove that we’re reducing real risk, not just generating alerts or closing tickets.
I measure effectiveness across a few core areas:
- Risk coverage: Are our most critical risks identified, owned, and mitigated over time?
- Automation rate: Measures multi-step logic that enriches or closes alerts using threat intelligence.
- Control effectiveness: Are controls actually stopping attacks, or just creating noise?
- Operational maturity: Are we reducing security debt and responding to issues based on risk, not urgency?
- True Positive Rate: Tracks actual incidents.
What advice would you give to someone stepping into their first CISO role today?
First, identify your real stakeholders. Not your org chart – the people who actually influence outcomes. Build trust and relations with engineering, product, and leadership.
Second, find your crown jewels and your real risks. If everything is critical, nothing is. A first-time CISO who can’t clearly articulate what would truly hurt the business shouldn’t be making security decisions yet.
Third, create immediate risk visibility. You don’t need perfect data – you need honest data. Early credibility comes from being able to say: “Here’s where we’re exposed, here’s why it matters, and here’s what we’re doing about it.”
Fourth, use proven methodologies and frameworks – but don’t hide behind them. Frameworks like the SANS CISO Mind Map are guardrails.
Now, the part many CISOs still avoid: learn to code and learn AI.
If you don’t understand how software is built, you will never truly understand application risk. And if you don’t understand AI, you are already unqualified to assess modern threat models.
Next, find a mentor. This role is isolating, political, and high-pressure. If you’re navigating it alone, that’s not independence – that’s inexperience.
Then, stay aggressively current. The threat landscape changes faster than your annual plan. New technologies, new vulnerabilities, new attacker economics – if you’re not continuously learning, your security program is decaying in real time.
Finally, be innovative. Be open to new technologies. Design smart partnerships. Experiment responsibly. The job is not to preserve the status quo – it’s to build security that scales with the business.
A successful first-time CISO isn’t the one with the most tools or the prettiest dashboards.
It’s the one who sees risk clearly, adapts fast, speaks the business’s language — and isn’t afraid to challenge outdated security thinking.
What do you think will matter less in security five to ten years from now?
In my honest opinion, in five to ten years, on-prem and perimeter-based security thinking will matter far less.
Static network boundaries, fixed trust zones, and IP-based assumptions don’t reflect how modern systems actually operate. Workloads are ephemeral, users are everywhere, and attackers already assume they’re inside. Identity, behavior, and context will matter far more than where traffic originates. If a security model doesn’t start with continuous trust evaluation, it won’t scale.
Second, generic awareness training and security questionnaires will decline in value.
Annual training sessions and endless vendor questionnaires create the appearance of security, but they rarely change behavior. People don’t become secure because they watched a slide deck or filled out a form – they become secure because systems are designed to be safe by default.
That’s why zero-trust style controls will increasingly replace these approaches.
Enforced identity verification, least privilege, continuous authorization, and real-time policy decisions will do more to reduce risk than asking users to “be more careful” ever did.
Security is shifting from relying on human oversight to compensate for weak systems to building systems that assume humans will make mistakes.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
We’re already seeing the impact of AI across multiple areas and disciplines. Over the past year alone, it has dramatically increased velocity and efficiency while amplifying security blind spots.
AI accelerates infrastructure provisioning, code development, and resource creation. But that speed often outpaces traditional security review, visibility, and governance models. As a result, risk is being introduced faster than many security teams can reason about it.
Looking ahead, I believe security teams will spend significantly more time on threat modeling AI-generated infrastructure, code, and resources. Not just securing AI systems themselves, but validating that everything created by AI aligns with security best practices across the organization.
That includes:
- Understanding how AI-generated code introduces new classes of vulnerabilities
- Assessing infrastructure and configuration drift created at machine speed
- Enforcing guardrails around data usage, access, and model behavior
- Embedding AI security principles consistently across engineering, cloud, and product teams
In other words, security teams will shift from reviewing human decisions to governing machine-driven ones.
The teams that succeed won’t try to slow AI down — they’ll focus on designing trust, guardrails, and continuous validation around it.