Cybersecurity has long been framed as a question of human behavior: training employees, reducing mistakes, and hoping awareness translates into better outcomes. But in reality, the most effective security leaders are shifting that paradigm entirely. In CISO Diaries, we explore how today’s CISOs think beyond tools and training, focusing instead on the structural decisions that determine whether organizations are truly resilient.
This series goes inside the day-to-day thinking of security leaders: how they prioritize, how they communicate risk across vastly different stakeholders, and how they design systems that don’t rely on perfect human behavior to succeed. Because at scale, security is less about preventing every mistake, and more about ensuring that mistakes don’t turn into catastrophic failures.
About Benjamin Bachmann
Benjamin Bachmann is CISO at Bilfinger SE, where he leads group-wide information security across a complex, decentralized organization spanning industrial operations, critical infrastructure, and OT environments. With over 15 years of experience across IT and cybersecurity, he brings a systems-level perspective to security, treating it as an architectural discipline rather than a compliance exercise.
Known for his clear, often contrarian stance on security culture, Benjamin challenges the idea that employees are the weakest link, instead advocating for systems that remain resilient even when things go wrong. In addition to his role at Bilfinger, he is the co-host of the Infosec Theater Podcast, a speaker, and a startup advisor, helping organizations rethink how security, leadership, and operational reality intersect.
How do you usually explain what you do to someone outside of cybersecurity?
I protect information. Not just computers or networks, but the knowledge that keeps a company functional, trustworthy, and competitive. Think of it like this: a company runs on decisions, and decisions run on information. My job is to make sure that information stays accurate, available, and in the right hands. The technology is just the plumbing.
What does a “routine” workday look like for you, if such a thing exists?
It doesn’t, really. But most days start with a quick self-check: where is my energy, what needs actual thinking today versus just execution. The calendar tends to lie about priorities. The real work is figuring out what actually matters and protecting time for that.
What part of your role takes the most mental energy right now?
Translating. Not languages, but frames of reference. The same risk means something completely different to an engineer, a board member, and a plant manager in industrial operations. Getting those three to act on the same reality, without dumbing it down or inflating it, that’s the hard part. On top of that: NIS2 and the fragmented way it’s being transposed across different countries. Same directive, different national flavors, different timelines, different interpretations. Keeping a consistent program aligned across that patchwork takes more energy than most people outside the role realize.
What’s one security habit or routine you personally never skip?
Compartmentalization. Not just technically, but cognitively. I try not to carry work threat models into private life and vice versa. The paranoid CISO who treats their family like a threat actor is not a success story.
What does your own personal security setup look like?
Password manager, hardware FIDO key, passkeys wherever the service actually supports them properly, strong encryption on devices, and distributed backups across multiple NAS systems. Not one backup, multiple. Because a backup you haven’t tested is just optimism stored on a hard drive. Nothing exotic, but everything deliberate.
What book, podcast, or resource has influenced how you think about leadership or security?
Two books that had nothing to do with security but changed how I lead. “Eat That Frog” by Brian Tracy, because ruthless prioritization is a security skill, not just a productivity tip. And “Mythos Motivation” by Reinhard Sprenger, which makes a simple but devastating argument: you cannot sustainably motivate other people. You can only demotivate them. The best you can do is remove the obstacles that get in the way of people motivating themselves. That reframed how I think about security culture entirely. Stop trying to inspire people into secure behavior. Start removing the friction that makes insecure behavior easier.
What’s a lesson you learned the hard way in your career?
That a technically correct recommendation that nobody acts on is worth nothing. Being right is not the job. Getting the organization to move is the job. But there’s a harder lesson underneath that one: honesty is not always welcome. Early in my career, I learned that some leaders don’t actually want to know the risks. They want confirmation that everything is fine. Walking into a room with an accurate picture of reality and watching it land badly taught me that timing, framing, and relationship come before truth. Not instead of it. Before it.
What keeps you up at night right now, from a security perspective?
Honestly? Nothing. I sleep well. Not because everything is under control, it never is, but because I’ve made peace with the nature of the job. You build resilience, you reduce probability, you prepare for recovery. Lying awake, rehearsing worst cases, doesn’t make the organization more secure. It just makes you worse at your job the next morning.
How do you measure whether your security program is actually working?
Several angles at once. How many reports and signals are we receiving, and does that number reflect reality or just noise? How does the organization respond to us: are we brought in early on decisions, or called in afterward to clean up? That tells you more about program maturity than any dashboard. And technically: how early do we detect, how fast do we contain. Not whether incidents happen. How much damage they do before we catch them.
What advice would you give to someone stepping into their first CISO role today?
Security is not an end in itself. Your job is to deliver as much security as the business needs, and sometimes a little more on the non-negotiables. EDR, for example, is not a discussion I have. But everything else should be calibrated to actual risk appetite, not to what feels comprehensive on a framework spreadsheet. And learn to speak the language of the board and the business before you master the language of the AD admin. Technical depth matters, but the CISO who can only talk to engineers will always be underfunded and underestimated.
What do you think will matter less in security five to ten years from now?
Awareness training as a primary control. We’ve spent twenty years blaming users for clicking the wrong thing. If your architecture requires humans to be perfectly vigilant to stay secure, you have an architecture problem, not a people problem. The most important thing awareness training should ever produce is one sentence: if something feels off, call me. Everything else is theater.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Maybe by then we won’t be talking about AI at all, but AGI that largely governs itself. Half-joking. But seriously: the core job will look familiar, just at a different order of magnitude. More AI in the environment, more cloud, no meaningful on-premises footprint left. The tools will have different names, NextNextGen-EDR or whatever the analyst firms decide to call it, but the underlying problem is the same: understand the environment, reduce the attack surface, detect what gets through, and recover fast. The fundamentals don’t expire. Only the layer they operate on keeps changing.