David Webb’s perspective on cybersecurity has been shaped by environments where operational failure carries real-world consequences. A retired U.S. Air Force Cyber Operations Officer and current Agency Cybersecurity Officer at the Cybersecurity and Infrastructure Security Agency, Webb has spent years helping organizations think beyond isolated technical threats and toward something broader: resilience, survivability, and mission continuity. His work across military operations, critical infrastructure, and national cyber defense has given him a front-row view into how leadership, technology, governance, and human decision-making intersect under pressure.
That experience makes his perspective especially valuable for CISO Diaries, a series focused not just on cybersecurity strategy, but on how security leaders actually think, operate, and make decisions day to day. In this conversation, Webb discusses why cybersecurity must be framed as an operational and business issue, not simply a technical one, along with the growing challenge of translating cyber risk into organizational impact. He also reflects on servant leadership, the dangers of “checkbox security,” and why the future of cyber defense will increasingly revolve around resilience engineering rather than the unrealistic goal of preventing every attack.
How do you usually explain what you do to someone outside of cybersecurity?
I usually tell people that my job is to help organizations protect the systems, services, and infrastructure that all people depend on every day.
Cybersecurity can sound abstract until you connect it to real life: energy, transportation, emergency services, water, communications, healthcare, banking, and government operations. My role is to help leaders understand cyber risk in plain language, make better decisions, and build programs that can withstand disruption.
At its core, I help organizations answer three questions:
- What matters most? What are your Crown Jewels?”
- What could hurt us?
- And what are we doing about it before something bad happens?
What does a “routine” workday look like for you, if such a thing exists?
There really is no fully routine day, which is part of the job.
A normal day may include advising senior leaders, reviewing cyber risk across critical infrastructure sectors, helping organizations think through security architecture, discussing incident readiness, assessing gaps in defensive capabilities, or translating technical risk into executive decision points. Most recently, this has become a discussion about how to translate cyber or IT risk into operational impacts.
Some days are strategic. Some days are deeply operational. Some days are about policy, workforce, governance, and getting the right people in the room. The constant thread is helping organizations move from awareness to action.
The work is rarely about a single system, vulnerability, or tool. It is usually about the intersection of mission, risk, people, technology, and leadership.
What part of your role takes the most mental energy right now?
The hardest part right now is helping organizations make sense of their risk in an environment that is moving faster than their governance models, workforce pipelines, and acquisition processes can comfortably keep pace with.
Artificial intelligence is accelerating that pressure. Leaders are being asked to adopt AI, defend AI, govern AI, and explain AI-driven risk; often before their organizations have fully matured basic cyber hygiene, identity management, asset visibility, data governance, or incident response.
Bottom Line: The mental energy is not just technical. It is systems thinking. How do you help organizations modernize without creating new blind spots? How do you build trust in automation without surrendering human engagement and human judgment? How do you prepare the workforce when the job itself is changing underneath them?
That is where I spend a lot of brain power.
What’s one security habit or routine you personally never skip? Work or personal.
I do not skip multi-factor authentication, and I do not treat passwords casually.
It sounds basic, but basics win. MFA, strong unique passwords, password managers, patching, backups, and knowing what devices are connected to your environment still prevent a lot of pain.
I also try to maintain a deliberately healthy skepticism around links, attachments, QR codes, unexpected prompts, and “urgent” requests. Most intrusions still require a human decision somewhere in the chain. Slowing down for security takes ten seconds before clicking is not paranoia. It is discipline.
What does your own personal security setup look like? Password manager, MFA, backups, devices, at a high level.
At a high level, I use a password manager, extremely unique passwords, MFA wherever it is available, and layered device security.
I separate personal, professional, financial, and academic workflows as much as possible. Devices stay updated, unnecessary services are turned off, and I pay attention to account recovery settings because it’s often where many fail and can create their weakest link.
Backups matter, too. I like having more than one path to recovery, especially for important family, financial, academic, and professional files. Security is not only about preventing compromise. It is also about being resilient, being able to fully recover when something fails.
What book, podcast, or resource has influenced how you think about leadership or security?
I think Leadership & Security can be separated, but there is a deliberate space for Cybersecurity Leadership. Books – there are countless books I’ve learned from over the years. I think my top 5 would be:
The Phoenix Project by Gene Kim; excellent leadership, process, accountability, and reliance on individuals rather than team resources.
Radical Candor by Kim Scott: a great resource for learning how tactful dissent and meaningful, deliberate conversations help build teams and relationships, and prioritize tasks & resources.
Ego is the Enemy by Ryan Holiday: it leads to the ability to humble oneself in front of and with others and provides a basis for servant leadership.
Leaders Eat Last by Simon Sinek; as a retired military officer, we learn that our people are the most important and capable resource, we need to ensure they’re not just fed first, but they are taken care of from every angle – physically, mentally, spiritually, emotionally – people are the backbone of the organization, they make things happen and we (as leaders) cannot / should not forget that.
The Wisdom of the Bullfrog by Admiral William McRaven (USN, Ret, SEAL); from stories of SEAL Training, to leading special operations teams in some of the most hostile and denied environments, commanding the Joint Special Operations Command and United States Special Operations Command this book provides insights for leading small teams to various large organizations with a broad workforce and handling mission critical capabilities and it all starts with ensuring to “Make your bed” – which is a daily foundation of accomplishment.
One of the biggest influences on how I think about leadership is the concept of servant leadership. I have seen time and again that cyber teams fail because someone at the top has the loudest voice. They succeed when leaders create clarity, remove barriers, develop people, and build trust before a crisis hits.
From an academic and operational perspective, I also think a lot about socio-technical systems theory. Cybersecurity is never just technology. It is people, process, mission, culture, incentives, and technology interacting under pressure.
That lens matters. If you only optimize the technical side, you miss the organizational reality. If you only focus on people and policy without understanding the technology, you miss the threat. Good cyber leadership lives in the middle.
What’s a lesson you learned the hard way in your career?
The lesson I learned the hard way is that being technically right is not the same thing as being effective.
Early in a career, especially in military and technical environments, it is easy to believe that if you have the right answer, the organization will naturally move in the right direction. That is not how complex organizations work.
You have to communicate risk in a way people can act on. You have to understand incentives, constraints, budgets, politics, culture, and timing. You have to know when to push, when to educate, when to listen, and when to let the mission context shape the recommendation.
Cybersecurity is a team sport, but leadership is what turns technical knowledge into organizational movement.
What keeps you up at night right now, from a security perspective?
An organization’s inability to decipher between cybersecurity as a cost center versus a revenue retention function. Cybersecurity professionals need to understand business processes, business outcomes, and how cybersecurity enables them. This messaging and its understanding must be presented wisely to CFOs, CEOs, and Boards of Directors so that informed risk decisions can be made, rather than a misunderstanding that system security isn’t operational security and operational survivability.
How do you measure whether your security program is actually working?
I look for evidence that the program is reducing risk, improving resilience, and enabling the mission.
That means going beyond compliance checklists. Compliance matters, but compliance alone does not prove security effectiveness.
I want to know things like:
How quickly can we identify critical assets? How fast can we detect and respond to suspicious activity? Are we reducing the number of repeat findings? Are vulnerabilities being prioritized based on mission impact? Are backups tested? Are incident response plans exercised? Do organizational leaders understand their cyber risk? Are users reporting suspicious activity? Are security controls mapped to real threats?
A working security program should produce fewer surprises, faster recovery, better-informed decisions, and stronger alignment among cyber risk, operational alignment, and mission priorities.
What advice would you give to someone stepping into their first CISO role today?
I think a three-pronged approach:
- Understand, concretely, where you fit within the leadership structure. Are you a figurehead or do you have operational and financial authority to commit resources to solve problems and reduce the cyber / IT risk profile.
- Know your enterprise and the organization’s “Crown Jewels” and why they’re designated as such. Build an IT/cybersecurity program to ensure their survivability/recoverability; this is an operationally focused activity that involves the entire organization. Being able to articulate what the risk profile is around these assets is paramount to gaining support from the entire C-Suite to build a workable, manageable, and sustainable security program.
- Listen first, gain an understanding of the organization’s climate, overall risk posture, and the critical stakeholders who will be enabled by your security program or potentially hindered by it. Take time to talk about cyber risk, impact on operational effectiveness, organizational reputation, and help your teams articulate the importance of system, personal, and physical security posturing.
What do you think will matter less in security five to ten years from now?
I think traditional credentialism will matter less.
Degrees, certifications, and formal education will still have value. Still, I believe the field will continue to move toward demonstrated capability, adaptability, judgment based on proven/validated experience, and continuous learning. The workforce problem is too large, and the technology is changing too quickly, for organizations to rely only on rigid hiring filters.
I also think static, point-in-time security models will matter less. Annual assessments, one-time authorizations, and compliance snapshots are increasingly ill-suited to the pace of modern threats. Security will have to become more deliberately continuous, evidence-based, automated, and integrated into operations.
The checkbox culture will not disappear, but it will become less defensible as a measure of actual cyber readiness.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
I think cyber teams will spend more time on resilience engineering. The question will not simply be, “Can we stop every attack?” The better question will be, “Can we continue operating through disruption, recover quickly, and preserve trust?”
The future security team will need technical depth, operational judgment, data literacy, AI fluency, and leadership maturity. The strongest teams will not be the ones with the most tools. They will be the ones who know how to combine human judgment and machine speed without losing accountability.
