Diyar Akhmedov, Head of Information Security at Yelo Bank, approaches cybersecurity through a simple but grounded lens: connect it to real-world events people already understand. For him, security becomes tangible when it is explained through fraud cases, cyber incidents, and the growing impact of digital threats on everyday life. That practical framing carries into his leadership style, where no two days look the same, only the certainty that unpredictability is part of the job.
In this edition of CISO Diaries, Akhmedov shares how he navigates the constant tension between business speed and security control, why MFA and strong personal discipline remain non-negotiable, and how AI is reshaping both attack methods and internal risk. He also reflects on one of the most important lessons of his career: security is ultimately built on trust and relationships, not tools, and that the future of cybersecurity will increasingly revolve around managing AI systems, identity, and decision integrity in fast-moving digital environments.
How do you typically explain your work to people outside of cybersecurity?
I explain it using current events, both global and national, as references. I give examples of various fraudulent and cyber incidents. This makes my job and its implications more interesting and easier to understand for people.
What does your “routine” workday look like, if there is one?
Frankly, the word “routine” sounds optimistic in this role. Mornings usually start with a review of overnight alerts and incidents. Then things change quickly: meetings with vendors, team synchronization, review of draft policies, or participation in a business meeting that requires the opinion of security specialists. The interesting thing about the job is that no two days are the same. The most predictable part of my day is that something unpredictable will happen.
What part of your job currently takes up the most mental energy?
Balancing speed and security. Businesses want to move quickly, launch products, implement new tools, and integrate AI. My job isn’t to say “no,” but to ensure rapid and secure progress. This requires constant negotiation, context switching, and sometimes uncomfortable conversations with people who view security as an obstacle rather than a foundation.
What security habit or routine do you personally never skip?
There are several, and one of them is multi-factor authentication (MFA) for everything—no exceptions, no compromises. If a platform doesn’t support it, I consider it a red flag for the platform itself. It sounds trivial, but the vast majority of account hacks I’ve observed over the years have come down to the lack of this single layer of protection.
What does your personal security system look like?
A password manager for everything, no re-entering passwords, ever. A hardware MFA key for important accounts. Separate devices for work and personal use. Regular encrypted backups. I periodically analyze my digital footprint to see what data exists about me that I didn’t intentionally place there.
What book, podcast, or resource has influenced your understanding of leadership or security?
I subscribe to numerous resources and try to read them whenever possible. In particular, there are podcasts and posts about information security from ETX and other well-known figures in the field. For strategic thinking, I find geopolitical analysis more valuable than most cybersecurity materials; understanding why attackers do what they do is just as important as knowing how they do it.
What lesson have you learned the hard way?
That relationships are more important than tools. You can have the best tech stack in the industry, but if the CISO doesn’t have the trust of the business, security becomes a game. I learned early on that spending time with the CFO, head of product, and operations team, understanding their challenges, pays dividends that no security tool can ever provide.
What’s keeping you up at night from a security perspective right now?
Two things. First, AI-enabled attacks—the barrier to entry for sophisticated phishing, social engineering, and code exploitation—are rapidly decreasing, and defenders aren’t adapting at the same rate. Second, the internal risk arising from well-intentioned employees using unauthorized AI tools. The threat isn’t malicious intent, but convenience. This is more difficult to address with technology alone.
How do you measure the effectiveness of your security program?
Not by the number of alerts blocked or patches installed. I measure results, the average time to incident detection and response, the reduction in attack surface over time, and how often discovered security vulnerabilities are caught before they become incidents rather than after. I also pay attention to whether the business is addressing security proactively or only when something goes wrong. This behavioral change is one of the most telling signs of program maturity.
What advice would you give to someone taking on the role of Chief Information Security Officer (CISO) for the first time today?
Learn the business before trying to change the approach to security. Understand what the organization is trying to achieve commercially, its biggest operational risks, and the board’s concerns. Security unrelated to the business context is simply an expensive, fictitious approach to compliance. Also, build trust gradually and spend it wisely. Your authority, your most valuable asset, is your most valuable asset.
What do you think will be less important in security in five to ten years?
Perimeter-based thinking. The idea of an “inside” and an “outside” is already outdated in most environments. As identity becomes the real perimeter and workloads move further into cloud and edge environments, the traditional firewall-centric model will be less relevant. We’ll also see less manual threat hunting as AI takes over repetitive detection work, freeing analysts to focus on decision-making that requires informed judgment.
Looking 10 years from now, what do you think security teams will spend the majority of their time doing that they don’t today?
Managing AI systems, both those that attack us and those we use to protect ourselves. The question of whether AI-powered security decisions are auditable, explainable, and compliant will become a major operational challenge. Security teams will spend significant time focusing on the integrity of AI models and data provenance, and on ensuring that the systems we trust to protect us aren’t left undetected or manipulated. This is a problem most teams aren’t considering today.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.