One of the biggest shifts in cybersecurity over the past decade has been the evolution of the CISO from technical expert to business strategist. Few people have witnessed and helped drive that transformation more closely than Jason Stradley. A four-time CISO, published author, and longtime security executive, Stradley has built a career around helping organizations mature their security programs without sacrificing business agility. Whether leading enterprise transformations or advising executives and boards, his philosophy remains remarkably consistent: cybersecurity exists to help organizations take risks safely, not eliminate risk altogether.
That perspective makes Stradley a natural fit for CISO Diaries, a series that explores how today’s security leaders think beyond the technology. Drawing on decades of experience across multiple industries, he shares why accountability matters more than tools, how CISOs can earn influence by speaking the language of business, and why the future of security will be driven by data, identity, and informed decision-making rather than an endless race to deploy more technology.
How do you usually explain what you do to someone outside of cybersecurity?
I tell people: “My job is to help the organization take risks safely.” More concretely:
- I protect data, systems, and operations from disruption
- I translate cyber risk into business impact (downtime, revenue, patient impact, trust)
- I make sure we can prevent, detect, and recover from cyber events
At the executive level, it’s less about “blocking hackers” and more about ensuring the business can operate confidently in a hostile environment
What does a “routine” workday look like for you?
There’s no true routine, but it typically includes:
- Reviewing threat intelligence and current risks
- Meetings with business leaders to align on risk decisions
- Managing program execution (roadmap, controls, vendors)
- Governance: compliance posture, audits, risk reviews
- Briefing leadership or preparing board-level updates
- Incident oversight if something happens
At this level, most time is spent on strategy, communication, and decision-making, not hands-on technical work.
What part of your role takes the most mental energy right now?
Balancing speed vs. security.
- The business wants to move fast (cloud, SaaS, vendors, integrations)
- Threats are increasing in sophistication and volume
- Resources are always constrained
The hardest part is making risk decisions with incomplete information, knowing neither option is perfect.
What’s one security habit you personally never skip?
There are two things for me: using MFA everywhere, no exceptions; and establishing a top-down risk-aware culture. These are the two highest ROI things that a CISO can do:
- Even if credentials are compromised, access is blocked
- MFA can reduce the likelihood of compromise dramatically
- If all else fails, you have people who can react properly when they see something is not right.
What does your personal security setup look like?
High-level:
- Password manager (unique, long passwords everywhere)
- MFA on all critical accounts (preferably authenticator or hardware-based)
- Encrypted devices + auto-lock
- Regular backups (offline or immutable where possible)
- Separate admin vs. daily-use identities
The core principle: assume compromise and limit blast radius
Password managers + MFA dramatically reduce risk from credential attacks.
What book, podcast, or resource has influenced you?
Instead of naming just one, I’d frame it like:
- Leadership: focus on risk communication and decision-making under uncertainty
- Security: follow threat reports, breach analysis, and lessons-learned retrospectives
The most impactful learning comes from:
- Real incidents
- Peer discussions
- Post-breach analysis, not theory
What’s a lesson you learned the hard way?
Tools don’t solve security problems; accountability and process do.
Early in my career:
- We invested in tooling without fixing ownership, workflows, and priorities
- Result: visibility improved, risk didn’t
Now I focus on:
- Ownership
- Measurable outcomes
- Operational discipline
What keeps you up at night right now?
- Identity compromise (phishing, session hijacking, social engineering)
- Third-party / supply chain risk
- Detection gaps in cloud/SaaS environments
- Speed of attacker innovation (especially with AI)
The reality:
- You won’t stop every breach
- The concern is how fast you detect and recover
How do you measure whether your security program is working?
I focus on outcomes, not activity:
Key categories:
- Detection & response: Mean time to detect/respond (MTTD/MTTR)
- Coverage: Percentage of assets monitored, patched, and protected
- Vulnerability management: Consistently shrinking the window of vulnerability
- Human risk: Phishing susceptibility or behavior trends
- Business impact: Downtime avoided, recovery performance
Metrics should answer the question, “Are we safer today than last quarter?” Effective measurement ties security performance to business outcomes like uptime, risk reduction, and trust.
What advice would you give to someone stepping into their first CISO role?
- Learn the business first, not the tools
- Translate everything into risk and impact
- Build strong relationships with CIO/IT, Legal/compliance, and executive leadership
- Focus on a few priorities that matter, not everything
- Communicate clearly and often
Most importantly, your job isn’t to be right; it’s to help the business make informed risk decisions.
What will matter less in security in 5–10 years?
- Manual, repetitive security operations (SOC triage, basic alert handling)
- Tool-centric thinking
- Purely perimeter-based controls
Automation and AI are already reducing the need for:
- Manual detection workflows
- Basic analysis tasks
Looking ahead 10 years, what will security teams spend most of their time on?
- AI security (both defending and governing it)
- Identity and access as the primary control plane
- Data security and privacy engineering
- Business risk modeling and decision support
- Security architecture embedded in engineering (DevSecOps)
The shift is already happening:
- From reactive → proactive
- From siloed → integrated
- From solution-driven → data and risk-driven
