Security leadership at the enterprise level is as much about governance and resilience as it is about technology. CISO Diaries was created to capture that reality by spotlighting how today’s CISOs operate behind the scenes: how they think about risk, structure teams, advise leadership, and keep complex organizations secure without slowing them down.
Through candid conversations, the series explores the daily rhythms, long-term priorities, and decision-making frameworks that define modern security leadership, offering readers a grounded view of what it takes to protect large, distributed businesses in an increasingly regulated and threat-heavy environment.
About the Interviewee: Nikola Đinić
Nikola Đinić is a senior information security executive with over 12 years of international experience spanning IT security, audit, compliance, and cyber risk management. He currently serves as Group CISO at CONVOTIS, where he advises executive leadership on cybersecurity strategy and risk posture while aligning security investments with business objectives across multiple entities.
Nikola leads and mentors a high-performing security team, oversees compliance with frameworks including ISO 27001, SOC 2, TISAX, and GDPR, and has successfully established and managed a 24/7 Security Operations Center leveraging SIEM, XDR, and PAM technologies. Known for his structured, standards-driven approach, Nikola brings a strong focus on resilience, business continuity, and governance to enterprise-scale security programs.
How do you usually explain what you do to someone outside of cybersecurity?
I usually say my job is to make sure the company can keep doing business even when things go wrong. Cybersecurity is not about firewalls or tools—it’s about protecting revenue, customer trust, and our license to operate in regulated markets. If security fails, the business eventually stops.
What does a “routine” workday look like for you, if such a thing exists?
There is no real routine in my day-to-day activities. One day starts with a regulatory question, the next with a customer escalation or an incident review. I move constantly between strategy, operations, and decision-making. The priority is always the same: what risk could hurt the business the most right now?
What part of your role takes the most mental energy right now?
Aligning regulatory requirements across multiple countries with operational reality. Laws and frameworks are abstract, but systems and people are not. Turning legal language into controls and security processes that actually work—without slowing down the business—takes a lot of thinking, adaptation and negotiation.
What’s one security habit or routine you personally never skip?
I never approve security measures without understanding how they really work, who they affect and how. If a control only works on slides but not in daily operations, it creates risk instead of reducing it. Medium practical security always beats theoretically perfect security.
What does your own personal security setup look like?
I keep it simple but disciplined: a password manager with unique passwords, MFA everywhere, encrypted devices, regular updates, and reliable backups. I treat my personal setup the same way I expect our corporate environment to be run—boring, risk-driven, consistent, and resilient.
What book, podcast, or resource influenced how you think about leadership or security?
“The Five Dysfunctions of a Team” had a big impact on me. It helped me realize that most security problems are people and communication problems. Tools don’t fail nearly as often as unclear ownership, missing trust, or teams working in silos.
What’s a lesson you learned the hard way in your career?
Security that ignores business reality will always lose. If controls slow people down or don’t match how their work is actually done, they will be bypassed. Real security starts by understanding the business and people, not by enforcing rules. First line of defense are always, we may like it or not, the employees of the company.
What keeps you up at night right now, from a security perspective?
The gap between documented controls and how things really work. On paper, many organizations look secure. In reality, small weaknesses accumulate quietly until a regulator, customer, or attacker exposes them all at once. The latter is usually the point in time where all of the efforts and measures executed before are meaningless.
How do you measure whether your security program is actually working?
Not by the number of tools, policies or security certificates. I look at outcomes: fewer incidents, faster response, predictable audits, stable operations, and whether customers trust us with their data. If security enables the business instead of blocking it, it’s doing its job.
What advice would you give to someone stepping into their first CISO role today?
Don’t start with technology—start with people and the business model. Learn how money is made, where risks really sit, and what leadership cares about. Trust from executives is more valuable than any security tool.
What do you think will matter less in security five to ten years from now?
Endless tool stacks and checkbox compliance. Companies will care less about how many controls exist and more about whether they actually reduce risk and stand up during audits, incidents, and customer reviews.
Looking ahead 10 years, what do you believe security teams will spend most of their time on?
Proving value. Translating security into financial risk, regulatory exposure, and operational resilience. Less manual work, more automation, and much more focus on governance, AI risk, and making security measurable for business leaders.