The modern CISO role is rarely defined by a single environment, budget, or threat model, especially outside of large enterprises. In CISO Diaries, we speak with security leaders operating in complex, real-world conditions, where constraints are real, tradeoffs are constant, and success is measured as much by behavior and trust as by controls.
This series explores how CISOs actually work: how they explain security to the business, where their mental energy goes, how they stay resilient, and how they navigate risk when certainty is impossible. Through candid conversations, CISO Diaries captures the evolving reality of security leadership, one shaped by judgment, governance, and the ability to help organizations take smarter technology risks.
About the Interviewee: Dana Kilcrease
Dana Kilcrease is a cybersecurity leader with extensive experience overseeing complex, multi-entity environments across education, nonprofit, and international domains. He currently serves as Chief Information Security Officer at Berkeley College, where he leads enterprise security strategy across the college, affiliated nonprofit foundations, global partnerships, and subsidiary operations. Dana specializes in building and maturing security programs from the ground up, translating regulatory and threat landscapes into actionable strategies while balancing constrained budgets and growing technological risks. Known for her pragmatic, business-aligned approach, he emphasizes building trust, fostering cross-functional collaboration, and embedding security into organizational culture, ensuring initiatives not only protect but also empower the business.
How do you usually explain what you do to someone outside of cybersecurity?
I help the business take smarter technology risks.
What does a “routine” workday look like for you, if such a thing exists?
Every day is vastly different and largely dependent on where we are in the quarterly/annual cycle. This can stretch from collecting evidence for an audit, working on a new initiative with stakeholders from across the organization, evaluating new vendors and technologies, or working with our IT teams to resolve an issue. Many days it’s a combination of these.
What part of your role takes the most mental energy right now?
Right now, the biggest mental challenge is finding ways to balance an already tight budget with growing technology risk. AI has fundamentally changed the threat landscape over the past 24 months, but my budget and planning cycles still move at an annual pace. The mental load comes from the asymmetry of this challenge. Attackers only need to be right once and can now move at the speed of AI, while those of us defending have to be right every time and work within the constraints of annual corporate budgets.
What’s one security habit or routine you personally never skip? (Work or personal.)
I’ll give two: physical and mental resilience. This job demands a lot both physically and mentally, so things like regular exercise and sleep routines need to be prioritized as much as possible.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I practice what I preach at work: defense in depth and fundamental security practices across the board. This has been especially challenging, having children, as not only are their devices surprisingly open by default, but I also have built-in pen-testers trying to circumvent my controls!
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
Cybersecurity First Principles by Rick Howard. The insights in the book helped me move away from chasing tools and toward building a strategy based on fundamentals. What are we protecting, why it matters, and how risk actually moves through an organization.
What’s a lesson you learned the hard way in your career?
A CISO is advisory, not prescriptive. Early in my career, I thought that my job was to mandate security. Over time, I learned that prescriptive solutions fail at scale. The real job of a CISO is to present the risk in a way that leadership can understand and then let the business choose its own path with its eyes open.
What keeps you up at night right now, from a security perspective?
The shrinking window between vulnerability disclosure and real-world exploitation. We’re seeing weaponized exploits within hours now, not weeks, and it’s forcing us to re-evaluate our patching cadence with already-constrained resources. We are quickly moving towards a world where automated response is a requirement for survival.
How do you measure whether your security program is actually working?
By how people behave. Do executives understand their risk exposure? Do employees report suspicious activity instead of hiding or ignoring it? Do project stakeholders involve security early in their initiatives? These types of signals matter more than any KPI.
What advice would you give to someone stepping into their first CISO role today?
Spend the first few months listening. Learn how the business actually works, who makes the decisions, and where the money and influence flow. Your ability to secure the company is directly tied to how much the heads of the business trust you.
What do you think will matter less in security five to ten years from now?
We will see the end of highly siloed technical gatekeeping. As AI lowers the barrier to entry for complex technical tasks, the premium on deep expertise will diminish outside of the largest companies. I believe the value will shift towards the generalists who can work across multiple domains to make holistic risk decisions.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will pivot from being operators to governors. AI will continue to absorb low-level triage and other technical chores, which will free up practitioners to focus more on strategy and architecture.