Ornaldo Naqellari’s path into cybersecurity began inside the banking industry, where years spent working across operational and security roles gave him a practical understanding of how risk, technology, and business continuity intersect in the real world. Now serving as CISO at Jet Bank, he brings a perspective shaped not only by technical security work, but also by hands-on experience navigating audits, fraud prevention, compliance pressures, and the day-to-day realities of protecting financial systems.
That background makes Naqellari an especially fitting voice for CISO Diaries, a series focused on how cybersecurity leaders actually operate behind the scenes, from decision-making and communication to routines, habits, and leadership philosophy. In this conversation, he reflects on why culture and discipline often matter more than expensive security tools, the growing challenge of third-party and supply chain risk, and how security leaders must learn to balance technical depth with business communication. He also shares a grounded, often humorous perspective on the future of AI-driven security, where tomorrow’s investigations may involve autonomous systems interacting with one another at machine speed rather than traditional phishing emails alone.
How do you usually explain what you do to someone outside of cybersecurity?
I usually say: “Imagine the company is a big building. My job is to help make sure the doors are locked, the alarms work, people don’t let strangers in, and if something bad happens, we can recover quickly without panic.”
What does a “routine” workday look like for you, if such a thing exists?
A normal day usually starts with coffee and checking news, alerts, emails, vulnerabilities, and incidents. Then it quickly turns into meetings, risk discussions, audits, project reviews, vendor assessments, and cross-checking things with the team to make sure we’re all seeing the same risks and priorities. And somewhere in between, there’s usually a conversation about why “123456” is still not an acceptable password in 2026. No two days are exactly the same — which is either exciting or exhausting depending on the week.
What part of your role takes the most mental energy right now?
Prioritization. There are always more risks, alerts, tools, projects, business and compliance requirements than time and budget. A big part of the job is deciding which fire actually matters before everyone starts running around with metaphorical fire extinguishers.
What’s one security habit or routine you personally never skip?
Probably pausing for a few seconds before clicking anything unexpected — especially emails, links, attachments, or login requests. In cybersecurity, many problems start because someone was in too much of a hurry.
What does your own personal security setup look like?
Nothing Hollywood-level — just disciplined basics:
- Password manager
- MFA everywhere possible
- Separate work and personal devices
- Regular backups
- Encrypted devices
- Keeping software updated
- Mild paranoia when receiving unexpected attachments
Basically: boring security habits done consistently.
What book, podcast, or resource has influenced how you think about leadership or security?
Honestly, more than books, I’ve been influenced by people.
First, Kevin Mitnick and his famous idea that companies spend millions on technology while people often remain the weakest link. That really changed how I think about security awareness and human behavior.
Second, Stéphane Nappo, especially his mindset that “it takes 20 years to build a reputation and a few minutes of cyber incident to ruin it.” It’s a simple quote, but very true in today’s world.
And third, my former director — now mentor and friend — Dritan Gucaj, one of the most knowledgeable people I’ve worked with and probably the person I’ve learned the most from. He taught me that good security is not just about controls and technology, but also about communication, persistence, and building bridges with people.
What’s a lesson you learned the hard way in your career?
I’ve learned quite a few lessons over the years, but three stand out the most.
First: always put important things in writing. People forget conversations, misunderstand details, or remember events very differently later. Written communication creates clarity and accountability. As the Latin saying goes: “Verba volant, scripta manent” — spoken words fly away, written words remain.
Second: you can buy the most expensive security tools on the market and still remain insecure if ownership, processes, accountability, and configurations are unclear or poorly managed. A badly configured security solution can sometimes create a false sense of safety, which is even worse.
And third: technology matters, but culture, awareness, discipline, and communication matter just as much — sometimes more. A strong security culture can compensate for many technical weaknesses, while a weak culture can break even very advanced security environments.
What keeps you up at night right now, from a security perspective?
Supply chain risks, third-party dependencies, and misconfigurations. You can secure your own environment very well, but if a trusted vendor gets compromised or a critical system is misconfigured, suddenly everyone is having a very long week together.
How do you measure whether your security program is actually working?
Not by how many tools we bought. I look at things like:
- Faster detection and response
- Reduced critical risks and vulnerabilities
- Fewer repeated mistakes and fewer users getting phished
- Better resilience during incidents
- Whether the business can continue operating when something inevitably breaks
If security only works on paper or during audits, then it’s probably not working well enough in reality.
What advice would you give to someone stepping into their first CISO role today?
Learn the business first. A good CISO needs to speak three languages:
- Technical
- Business
- “Executive summary in two minutes because the CEO has another meeting”
Also, make friends, not enemies. Your IT teams and Board are not obstacles — they are the people who will support, fund, prioritize, and help implement security across the organization. If security becomes “the department of no,” you lose before you even start. And finally, don’t try to fix everything in the first six months. Cybersecurity is a marathon with occasional explosions.
What do you think will matter less in security five to ten years from now?
Probably the traditional way we’ve been doing security so far.
For many years, security has been heavily reactive, manual, and compliance-driven — a lot of spreadsheets, repetitive tasks, endless meetings, checking boxes, and humans trying to process thousands of alerts manually.
With AI and automation evolving quickly, I think security teams will gradually spend less time on repetitive operational work and more time on decision-making, validation, governance, and managing complex risks. Continuous monitoring, smarter automation, and AI-assisted analysis will likely become part of daily operations.
Of course, cybersecurity has a special talent for keeping old problems alive longer than expected — so I’m sure spreadsheets will somehow survive too.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Probably governing AI systems, validating automated decisions, managing machine identities, and monitoring autonomous systems talking to other autonomous systems.
In other words, today we investigate suspicious emails from humans. Tomorrow we may investigate suspicious behavior from AI agents arguing with other AI agents at machine speed — which sounds both impressive and slightly terrifying.
