In the world of cybersecurity, the most impactful leaders aren’t defined by the tools they deploy or the policies they write; they’re defined by the decisions they make when the stakes are highest. CISO Diaries is a new series dedicated to exploring that human element: the daily rhythms, habits, and leadership philosophies of today’s most influential CISOs and security leaders around the globe. Rather than focusing on sensational breaches or technical deep dives, this series uncovers what security leadership actually looks like in practice: how leaders balance risk and speed, navigate complex organizational dynamics, and build resilient programs that support growth instead of slowing it.
In this edition of CISO Diaries, we speak with Derek Galvin, a senior executive advisor and non-executive director with more than 25 years of experience in digital strategy, transformation, and cyber resilience. Known for stepping into complex environments as an interim CIO, CISO, CDO, or Chief Architect, Derek helps boards and executive teams translate technical complexity into measurable business outcomes. His work spans major multinational transformations, cloud-enabled zero-trust initiatives, and high-impact security architecture programs, each delivered with an emphasis on alignment, execution, and real-world results. In his own words, Derek isn’t there to “fix computers”; he’s there to help organizations move fast without stepping on landmines.
About the Interviewee: Derek Galvin
Derek Galvin is a senior executive advisor and non-executive director specializing in digital strategy, transformation, and cyber resilience. With more than 25 years of experience, Derek partners with boards and executive teams across global enterprises, often serving in interim leadership roles such as CIO, CISO, CDO, and Chief Architect. He is recognized for translating complex IT and security strategy into tangible business success, delivering measurable efficiency gains and risk reduction across large-scale programs. His work includes leading major digital transformation initiatives, guiding cloud-enabled zero-trust strategies, and supporting startups from seed to pre-IPO exits, always with a focus on practical, high-impact outcomes.
How do you usually explain what you do to someone outside of cybersecurity?
I describe myself as a business risk translator. My job isn’t to “fix computers,” but to help the company make informed trade-offs so we can move fast without stepping on landmines (business risk or regulatory risk). I am the person who asks the uncomfortable questions before something breaks so that management can sleep better.
What does a “routine” workday look like for you, if such a thing exists?
There is no such thing as a routine day, and that is by design. My time is split between filtering out the noise, balancing tactical needs, and focusing on strategic work, such as refining our cyber strategy.
What part of your role takes the most mental energy right now?
People and culture. Technology is the easy part; the real challenge is navigating “politics”, the personalities, incentives, and power dynamics required to get an entire organisation to make better security decisions daily. Security rarely fails because of a missing tool; it fails because of human misalignment or mistrust.
What’s one security habit or routine you personally never skip?
Taking care of my mental and physical health. If I don’t take care of myself, my decision-making and patience suffer, which makes me a less effective leader.
What does your own personal security setup look like?
It is “boring” on purpose: MFA everywhere with no exceptions.
What book, podcast, or resource has influenced how you think about leadership or security?
I am highly selective about what I read. I lean on resources focused on human dynamics, such as “The Culture Code by Daniel Coyle” and “The Five Dysfunctions of a Team by Patrick Lencioni”. For security specifically, “Cybersecurity First Principles by Rick Howard” is essential for staying grounded in what actually matters.
What’s a lesson you learned the hard way in your career?
I learned that scaring people is a failing strategy; trust your team. My job is to evaluate risk in business terms, not to be the “Department of No”. With regards to xAAS, always understand how you can get out without putting your organisation at risk, don’t always trust your vendors when they sell opt-out or rollback options.
What keeps you up at night right now, from a security perspective?
Supply chain risk and the rise of automated attacks on open-source supply chains. I am also deeply concerned about the geo-political situation, specifically how the U.S. withdrawal from 66 international organisations related to cybersecurity, including the Global Forum on Cyber Expertise and the European Centre of Excellence for Countering Hybrid Threats, will impact sovereignty and global collaboration.
How do you measure whether your security program is actually working?
By looking at fundamental controls and employee behaviour. If employees are actively reporting suspicious activity and engaging with the security team, it shows the culture is shifting. Beyond culture, I measure the exceptional execution of the “boring” basics: access control, asset visibility, and vulnerability management.
What advice would you give to someone stepping into their first CISO role today?
Listen more than you speak. In your first month, don’t try to “fix” everything; instead, map the organisation and build trust with your team. Remember that your team’s collective knowledge outweighs your own. Your job is to ensure the most innovative ideas surface without fear, not to be the smartest person in the room. Network with your peers; you need to build a rapport.
What do you think will matter less in security five to ten years from now?
Hands-on, repetitive technical tasks. AI will take over pattern-based work like alert triage, correlation, and manual secure coding. This will, however, only work if your ecosystems are properly mapped with your business processes. The traditional “network perimeter” will also continue to lose relevance as we move toward data-centric security.
Looking ahead 10 years, what do you believe security teams will spend most of their time on?
We will shift from “hands-on-keyboard” to an “air traffic control” model, where the security teams will spend their time supervising automation and AI governance. The focus will shift to validating that automated decisions are compliant and aligned with business goals, acceptable risk and managing the consequences when automated systems fail.