Cybersecurity is often associated with control, restriction, and risk avoidance, but the most effective leaders see it differently. In CISO Diaries, we explore how today’s security executives are redefining the role, not as gatekeepers, but as enablers of innovation. This series dives into the real work behind the title: how CISOs think, how they make decisions under pressure, and how they design systems that allow businesses to move faster without losing control.
By focusing on routines, habits, and leadership philosophies, CISO Diaries highlights a critical shift in the industry, one where security is no longer just about defense, but about designing resilient, adaptable systems that align with how people actually work. As organizations adopt AI and operate in increasingly complex digital environments, the role of the CISO is expanding beyond technology into human behavior, identity, and trust.
About Ejona Preci
Ejona Preci is a cybersecurity strategist and Group CISO at LINDAL Group, with over a decade of experience bridging advanced security practices with human-centric design. She is known for her focus on making cybersecurity both effective and usable, ensuring that strong controls enhance, rather than hinder, business innovation.
Throughout her career, Ejona has worked across diverse teams and environments, translating complex security concepts into clear, actionable insights at the board level. She is a strong advocate for diversity in cybersecurity, believing that inclusive perspectives are essential to building resilient systems. With a growing focus on AI, identity, and the governance of autonomous systems, her work reflects a forward-looking approach to security, one that prioritizes adaptability, usability, and long-term organizational resilience.
How do you usually explain what you do to someone outside of cybersecurity?
I like to say, “I build effective brakes.” Cybersecurity is like the brakes on a car. Most people think brakes exist to slow the car down. But any racing driver will tell you the opposite; good brakes are actually what allow you to go faster. When you trust your brakes, you can push the car much harder into the corners. Security works exactly the same way.
My job isn’t to sit in meetings saying “no’ but to make sure the company has great brakes so the business can move fast, launch new ideas, adopt new technologies, and still stay in control.
When the controls are strong enough, innovation doesn’t slow down; it accelerates!
What does a “routine” workday look like for you, if such a thing exists?
The answer is simple: there is no routine! And that’s the reality of the CISO role.
One hour, I might be discussing strategy with the board. Next, I’m reviewing a security incident. Later, I’m helping a team launch something safely. And sometimes, in the middle of all that, I’m pulled into an AI Security topic. A CISO’s day sits at the intersection of technology, risk, and business decisions.
Our job is to do whatever the situation requires, often in real time. Security doesn’t operate on a schedule. We respond to what the organization needs, whenever it needs it. The beauty of the role lies in learning to embrace the unknown while still guiding the organization forward with clarity.
What part of your role takes the most mental energy right now?
Right now, the most difficult challenge to tackle is AI and identity.
AI is reshaping cyber defense systems, but it’s also transforming how attacks happen. Attackers can now automate reconnaissance, generate highly convincing phishing campaigns, and scale their operations dramatically. At the same time, organizations themselves are deploying AI systems that can access data, interact with other systems, and even make decisions.
In many companies, AI agents are already acting as security principals, performing roles that look like IT specialists, finance operators, or analysts, and accumulating permissions dynamically as they work. In the age of agentic AI, identity becomes fluid. It’s no longer just about humans and service accounts. Understanding how these systems interact, where they can be abused, and how to design new security playbooks that keep organizations safe and operational is one of the biggest challenges facing CISOs today, and it’s what keeps many of us up at night.
What’s one security habit or routine you personally never skip? (Work or personal.)
If there’s one hill I’ll die on, it’s strong authentication. Passwords alone are simply not enough anymore. So yes, MFA. Everywhere. No exceptions. If a platform can’t support that, I don’t
want an account there at all. Whenever possible, I use phishing-resistant MFA or passwordless authentication.
Modern cybersecurity isn’t about more fancy tools; it’s about discipline in the basics. Most attacks don’t start with zero-day exploits. They start with someone logging in as you!
What does your own personal security setup look like?
I keep it simple and disciplined:
- A password manager for unique passwords everywhere. That said, for some critical systems I use, I still prefer to remember those passwords myself rather than store them in a password manager. Maybe that’s just a bit of professional paranoia.
- Phishing-resistant MFA wherever possible.
- Encrypted devices that are always updated.
- And regular backups, including offline ones.
I also separate environments: work, personal, and AI experimental systems. I don’t like to mix them.
People often expect security leaders to have some extraterrestrial setup. The truth is the opposite. Good security is usually just doing the fundamentals consistently and without shortcuts.
What book, podcast, or resource has influenced how you think about leadership or security?
One book that influenced me early on is The 7 Habits of Highly Effective People by Stephen Covey. It’s not a cybersecurity book, but the principles apply surprisingly well to security leadership. Ideas like being proactive, focusing on what truly matters, cutting through the noise in a world saturated with information, and thinking long-term are essential in our field.
Cybersecurity often pushes leaders into reactive mode. Covey’s philosophy reminds us to step back and focus on building strong systems, strong teams, and strong habits. In the end, effective security programs are not built on technology alone; they’re built on consistent leadership and discipline.
What’s a lesson you learned the hard way in your career?
Early in my career, I believed that the best technology would solve most security problems. But over time, I learned that technology is rarely the hardest part. The real challenge is people, conflicting priorities, and communication.
If the business doesn’t understand the risk, even the best security architecture won’t help much. Security only works when it is aligned with what the organization pursues and how it actually operates. That lesson changed how I approach the role. A CISO isn’t just a technology leader; we’re translators between risk, technology, and business objectives.
What keeps you up at night right now, from a security perspective?
As I pointed out earlier, the new challenge for me (and I believe for most CISOs nowadays) is identity in the age of AI. For 20+ years, we’ve assumed every identity belongs to a human or a service account. That model is now collapsing. With AI and agentic systems, we’re suddenly
introducing thousands of non-human actors into our environments, agents that can read data, call APIs, make decisions, and trigger actions.
And most companies are still securing the world as if only human employees or human threat actors exist. The next big attack surface won’t just be users or devices. It will be autonomous systems acting on our behalf. If we don’t rethink identity, authority, and control now, we’re about to create an ecosystem of powerful digital actors that no one is truly governing.
How do you measure whether your security program is actually working?
I don’t measure security by the number of controls, how many defense tools we deploy, or the volume of alerts we generate. I measure it by risk reduction, resilience, and contribution to business objectives.
The questions I usually ask are: Are we supporting the business in achieving its growth objectives? Are we reducing the organization’s attack surface? How fast we detect threats, how quickly we respond, and how well we contain incidents?
The real test is resilience. When something goes wrong (and eventually it will), can the organization continue to operate, recover quickly, and limit the blast radius? If security enables the business to move fast while keeping risk under control, then the program is working.
What advice would you give to someone stepping into their first CISO role today?
Understand the business. Period.
Many security leaders focus only on technology, threats, and controls. But the real job of a CISO is to protect and enable the business. If you don’t understand how the company makes money, what its strategic priorities are, and what risks actually matter to leadership, you’ll always struggle to get security right. The most effective CISOs speak the language of the business first and security & Tech second.
What do you think will matter less in security five to ten years from now?
Manual security operations. For decades, we built security around humans watching dashboards, triaging alerts, and manually responding to incidents. In a world shaped by AI (both on the defender and attacker side), that model simply won’t scale.
AI will dramatically change the speed, volume, and sophistication of attacks. Defending against that with purely human-driven operations will become unrealistic. What will matter less is how many analysts you have staring at alerts. What will matter far more is how quick your systems can detect, decide, and respond at machine speed with humans in the loop, for critical use-cases.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Over the next decade, security teams won’t just be defending systems; they’ll be governing autonomous digital actors. Organizations will run thousands of AI agents that can access data, make decisions, trigger transactions, and interact with other systems.
Security teams will need to define what those agents are allowed to do, what data they can access, how their authority is limited, and how their actions are monitored and audited.
Their job will shift from protecting users and devices to governing machine identities and autonomous behavior. And that will fundamentally redefine what cybersecurity looks like.