Cybersecurity leadership is often associated with technology, threats, and incident response, but the reality of the role extends far beyond technical controls. In CISO Diaries, we sit down with some of the world’s leading cybersecurity executives to explore the routines, philosophies, and experiences that shape how they lead. The series examines the human side of cybersecurity, from the habits leaders rely on daily to the lessons they learned the hard way, the pressures they navigate, and the evolving risks that keep organizations resilient in an increasingly digital world.
As cybersecurity becomes more deeply embedded into business strategy, today’s CISOs are expected to do far more than defend networks. They are advisors to executives, translators between technical and business teams, and strategic leaders responsible for helping organizations adapt to constant change. In this edition of CISO Diaries, Fred Streefland shares insights from a career that spans military intelligence, critical infrastructure security, cloud security, and executive advisory roles across both the public and private sectors.
About Fred Streefland
Fred Streefland is a cybersecurity thought leader, trusted C-level advisor, and Global Field CISO for EMEA at Check Point Software Technologies, where he advises executives across defense and critical infrastructure sectors on cybersecurity strategy and risk management. Based in the Netherlands, Fred brings decades of experience spanning military intelligence, enterprise security leadership, and cybersecurity consulting.
A graduate of the Netherlands Royal Military Academy, Fred served for 16 years as an Intelligence Officer within the Royal Netherlands Air Force, where he specialized in Russian weapons systems and advised NATO leadership, airbase commanders, and F-16 pilots during multiple international missions. After transitioning to the private sector, he held senior security leadership positions at organizations including IBM, Accenture, Leaseweb, and Palo Alto Networks. Known for his pragmatic and adaptable approach to cybersecurity, Fred continues to focus on helping organizations align security strategy with operational resilience and business realities.
How do you usually explain what you do to someone outside of cybersecurity?
I’ll tell people outside the cybersecurity industry that I can be best described as a trusted advisor on the topic of cybersecurity to the management of organizations (both public and private organizations). I’ll provide advise on the security strategy, a security roadmap, and how to manage digital risks within an organization. I’ll do this by having 1-1 meetings with C-executives, mostly CISOs, providing presentations at conferences, and publishing thought leadership articles.
What does a “routine” workday look like for you, if such a thing exists?
There’s no ‘routine’ workday, because every day is different. I also say: “Never a dull moment within the cybersecurity industry!” (which is the case for the last 18 years :-)). Although every day is different, there’s something that can be defined as ‘a kind of routine’. This is reading the latest (cybersecurity) news of different forums, groups, and experts on the internet, mostly on LinkedIn.
What part of your role takes the most mental energy right now?
Preparing for customer meetings and my presentations. Although these meetings and presentations require serious attention and take some time to prepare, they give me more mental energy than they would cost me. I really like to present on stage and really enjoy the conversations with other CISOs, because I can also learn from them and I’ll also gain new insights and ‘lessons learned’.
What’s one security habit or routine you personally never skip? (Work or personal.)
I would never skip a workout of at least 30 minutes a day. This workout can be fitness, spinning, cycling, or any other sport. As a former soccer player at the highest level and triathlete at the amateur level, I cannot afford not to be fit, also mentally.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
As a Check Point employee, all my devices (including my personal mobile phone) have been secured with our Check Point Workspace Security solutions. At home, I have a segmented network with ‘common sense protection measures’ (FWs, Backups, etc.) in place.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
One of the most interesting (cybersecurity) books that I’ve read is Blackout by Marc Ellsberg. Although probably more than 10 years old, it’s still a relevant book that describes how ‘hackers attacked the electricity grid in Europe’. One of the most inspiring and knowledgeable persons that I’ve worked with and probably learned the most from is Rick Howard (former Global CSO, Palo Alto Networks).
What’s a lesson you learned the hard way in your career?
I’ve learned the hard way that ‘gaining and maintaining full visibility on your infrastructure’ is extremely difficult. During one of my CISO roles, I thought I had full visibility into our entire infrastructure, which was also confirmed by our IT Director at the time. Unfortunately, we missed one terminal management server that a disgruntled employee had implemented on our network before he left the company. We didn’t know, until I received a phone call in the middle of the night from our CEO, that we had a security issue.
What keeps you up at night right now, from a security perspective?
Nothing basically (if I don’t get a phone call from a CEO :-))
As a former military officer, I’ve learned to sleep when and wherever I can, so my nights are always good.
But, from a security perspective, I do worry about the number of organizations that still don’t take cybersecurity very seriously and don’t invest in their CISO organization with budget and mandate. It’s no surprise that these organizations will end up in the headlines with a security incident…unfortunately.
How do you measure whether your security program is actually working?
That’s a very good question, which is a matter of time. It takes time to develop, implement, and manage an effective cybersecurity program. Before you can measure the effectiveness of the security program, you are probably already 2-3 years into working on this. But, once you are able to measure whether your security program is working, you should ask the Management (‘Board of Directors’) if they are satisfied with you managing their risk appetite. Because the CISO is responsible for managing (cyber) risks so that the business can do ‘its business’. It’s up to the Management to decide if the security program is working.
What advice would you give to someone stepping into their first CISO role today?
Just go for it! It’s one of the most challenging and rewarding jobs out there; my advice is to search for an experienced CISO who is willing to mentor you. Ultimately, the CISO role requires years of experience, and you must learn it by doing (not by studying security certifications).
What do you think will matter less in security five to ten years from now?
Manual repetitive security work, because AI Agents will replace that; I do sincerely hope by SECURE AI agents.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
With the current AI developments and their speed of adaptability, this question is impossible to answer. Even if you were to ask me the same question 1-2 years from now, I couldn’t provide you with a reasonable answer, sorry.
But, looking ahead, there’s one thing that I know, which is that we need to adapt our security approach (if we would like to stay relevant).
As Charles Darwin quoted, “It is not the strongest or most intelligent species that survives, but the one that is most adaptable to change!”
