At a company where innovation, performance, and precision are part of the brand itself, cybersecurity cannot operate as a disconnected control function. Elisa Romano understands this balance firsthand. As Head of Data Protection & Information Security at Automobili Lamborghini, she leads global efforts spanning cybersecurity, data protection, AI governance, and regulatory compliance across an increasingly connected industrial environment. Her role sits at the intersection of business transformation, emerging regulation, and operational resilience, where security decisions must support innovation rather than slow it down.
That perspective makes Romano’s experience especially valuable for CISO Diaries, a series exploring how security leaders actually think, operate, and make decisions behind the scenes. In this conversation, she reflects on the growing challenge of keeping security aligned with the speed of AI and digital transformation, why human behavior remains at the center of effective security programs, and how modern CISOs must evolve from operational defenders into strategic business advisors. She also shares insights on balancing governance with agility, building security cultures that scale globally, and why “verifying before trusting” remains one of the simplest but most powerful habits in cybersecurity today.
How do you usually explain what you do to someone outside of cybersecurity?
I usually explain that my role is to protect the company and enable it to operate securely in a digital world. That means protecting data, securing systems, and ensuring regulatory compliance, while also supporting innovation and business growth. In simple terms, I help the organization take security risks consciously, not blindly.
What does a “routine” workday look like for you, if such a thing exists?
There isn’t really a routine day, but there are recurring patterns. I usually wake up early in the morning, so I like to come to work early to have time to get into business activities with the proper mindset, without hurrying. My time is typically split among aligning with the business, overseeing risks and incidents, and regulatory priorities such as NIS2, GDPR, and AI governance. A significant part of the role is also aligning with the team to remove obstacles and help move projects forward. Every working day is a balance between planning and reacting.
What part of your role takes the most mental energy right now?
The most demanding aspect is finding a balance between securing the activities and supporting innovation. Threats change, regulations evolve, and the business moves fast. Making the right decisions with an incomplete view of the future scenario is where most of the mental energy goes.
What’s one security habit you personally never skip?
Verifying before trusting. Take time. Whether it’s an email, a request, or a link, I always take a moment to validate. Strong security is often built on simple, consistent habits rather than complex actions.
What does your personal security setup look like?
I follow the same principles I promote at an organizational level: be careful! Multi-factor authentication, regular backups, and properly updated devices. I also keep a clear separation between personal and professional environments. Discipline is key.
What resource has influenced how you think about leadership or security?
I’ve been more influenced by leadership and decision-making content, especially around managing uncertainty, building strong collaboration, and fostering accountability. Cybersecurity, in the end, is much more about people and behavior than technology alone.
What’s a lesson you learned the hard way?
That technology is never enough. You can implement the best tools in the market, but if people are not aligned and the culture is not mature, those controls won’t be effective. True security comes from a combination of technology, process, and mindset. The human factor is fundamental.
What keeps you up at night from a security perspective?
The growing gap between the speed of innovation and the maturity of security controls. With AI, increasing interconnectivity, and complex supply chains, the attack surface is expanding rapidly. Keeping security aligned with this pace is one of the biggest challenges.
How do you measure whether your security program is working?
A combination of factors: risk reduction and visibility, effectiveness in detecting and responding, and maturity against recognized frameworks such as ISO standards or NIS2. Equally important is whether security enables the business rather than slows it down. If both are true, then the program is working.
What advice would you give to someone stepping into their first CISO role today?
Start from the business, not from technology. To be successful in the CISO role, knowing the organization, the markets in which it operates, and its targets is fundamental to being effective. Build strong relationships across the organization, which have to be well know and learn to communicate risk in a language that business leaders understand.
What will matter less in security five to ten years from now?
Purely reactive approaches and traditional perimeter-based security will become less relevant. Security is moving toward integrated, identity-driven, and risk-based models that are embedded into business processes rather than added on top of them.
Looking ahead 10 years, what will security teams spend most of their time on?
Security teams will increasingly focus on governing emerging technologies like AI, managing risks across complex ecosystems and third parties, and translating technical threats into business decisions. There will also be a stronger reliance on automation, reducing manual activities and allowing teams to act more as strategic advisors than purely operational defenders. In addition, to manage geopolitical situation becomes fundamental.
