Security leadership doesn’t end when the badge comes off or the title changes. In many ways, that’s when perspective sharpens. CISO Diaries is designed to capture exactly that: honest reflections from security leaders on how they think, operate, and adapt as the role of the CISO continues to evolve. This series looks beyond org charts and frameworks to explore routines, decision-making habits, lessons learned the hard way, and how experienced leaders apply their craft across different chapters of their careers.
In this edition, we speak with a former federal CISO navigating life after government service, bringing decades of experience, fresh independence, and a continued commitment to strengthening the cybersecurity community.
About the Interviewee: Paul Blahusch
Paul Blahusch is a veteran cybersecurity leader with more than 20 years of experience across U.S. federal government roles, including nearly seven years as Chief Information Security Officer at the U.S. Department of Labor. During his tenure, he helped guide the agency’s cybersecurity strategy through an increasingly complex threat landscape, balancing risk management, leadership engagement, and cross-government collaboration.
After resigning from the CISO role in 2025 and formally retiring from federal service later that year, Paul founded B&A Cybersecurity Consulting, where he now advises organizations on cyber risk, strategy, and IT challenges. Deeply invested in the cybersecurity community, he remains active through mentoring, podcasting, event participation, and thought leadership, bringing a seasoned, pragmatic perspective shaped by both public service and real-world transition.
How do you usually explain what you do to someone outside of cybersecurity?
I like to describe the CISO role as one that helps the business (or, in the case of government, agency) succeed by efficiently and effectively protecting the digital assets to mitigate risk to a level acceptable to company/agency leadership.
What does a “routine” workday look like for you, if such a thing exists?
My day breaks down into:
- Taking about 15-30 minutes to read. Currently, I am reading “The Coming Wave” by Mustafa Suleyman.
- I answer correspondence from colleagues, or current or prospective clients, including emails, texts, direct messages, phone calls, Slack, Signal, etc.
- I work on whatever current clients have asked me to do: product/solution feedback, proposal review or development, strategic guidance, risk assessment/management advice, etc.
- Perform activities to increase my network (i.e., potentially obtain new clients), such as social media posts, outreach, this article!, etc.
- Administrative work of having my own business, like tracking expenses, paying bills, submitting invoices, maintaining the website, and other media.
- When I have time, refreshing my knowledge or learning something new in cyber, general IT, or leadership.
My current day is a lot different than the typical day when I was the DOL CISO. That position involved:
- Engaging with agency leaders to understand their priorities and how cyber could best help them achieve their goals
- Meeting with the cybersecurity team to relay priorities and to understand current threats and what the team needed to succeed (tools, training, support, guidance, etc.)
- Promoting the importance and needs of the cybersecurity program to agency top leadership – i.e., to obtain the resources and support what my team needed to succeed;
- Evangelizing cybersecurity to the agency through outreach to program owners and to users – emails, interviews, memos, presentations, etc.
- Contributing to the broader federal cybersecurity community by participating in cross-government councils, working groups, industry groups, conferences, etc.
What part of your role takes the most mental energy right now?
The administrative aspects of running my own business. Maintaining and enhancing existing relationships. Identifying and making contacts for potential new clients. Keeping track of the financials. I think these take the most mental energy because they are mostly new to me. The other things – the actual work and the continuous learning are “muscle memory” for me.
What’s one security habit or routine you personally never skip? (Work or personal.)
Bringing a healthy dose of skepticism to any unsolicited message I get – email, text, voice, or other. And I get a lot of those since I set up my own business entity.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I leverage password managers, but don’t think passwords are very effective for security anymore, so I look for and enable phishing-resistant MFA wherever possible. My critical files are backed up to multiple locations, some local ones that I control… others to the cloud. Sensitive files are encrypted.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
There were so many, but three things came immediately to mind. Two books and a podcast.
I read “Time-Based Security” by Winn Schwartau maybe 20 years ago, and it was the first to make me clearly realize that a security strategy based solely on prevention was bound to fail. We couldn’t stop everything. The adversary was going to get in eventually … or, at least, we needed to assume that. In the book, Schwartau explained that we needed to focus on detection and response tools and techniques so we could be alerted to the intruder and take action to stop them before they could reach their goal. This included having barriers to slow them down and alarms going off. A lot of zero-trust type of thinking here, more than a decade before it became a popular buzzword.
The second is a book my boss at the time gave me: “Turn the Ship Around!: A True Story of Turning Followers into Leaders” by L. David Marquet. What sticks with me to this day is the idea of not simply presenting a bunch of possible ideas for action to the boss (superior), or worse just the problem, and wait for their decision on how to proceed, but rather, as the subordinate (or maybe a better term is Subject Matter Expert!) to declare here is what I intend to do to address the issue and why I think it is the best approach. Kind of like the old saying “Don’t come to me with problems, come to me with solutions”, but instead coming with “the best solution”.
I often adopted this approach when communicating with my boss and encouraged it among my staff. The boss or reviewer can always come back with questions or even order a different approach, but 9 times out of 10, the subordinate-declared approach worked great and has the added benefit of team buy-in and growth.
After I left the government, I realized that because I wasn’t privy to routine threat briefings, I needed a new way to stay on top of cybersecurity developments. I soon found Jim Love’s podcast “Cybersecurity Today,” and it has been my go-to ever since. Jim and his colleague David Shipley expertly condense the latest threats and vulnerabilities news into neat 10-15 minute segments three times a week that help keep me up to date.
What’s a lesson you learned the hard way in your career?
No matter your position, or relative authority, or tenure, or your past successes, realize you are not as safe, secure, and comfortable as you think in that position. Change can happen more quickly and more meanly than you expect, and in unexpected ways.
You need to assume you will not be able to choose the time and terms of your departure from an organization.
So, always be ready for the “next thing”. Invest and trust in yourself. Keep current on the industry and technology. Build bridges, don’t burn them. Nurture your current relationships and expand your network.
What keeps you up at night right now, from a security perspective?
Perhaps this goes beyond simply a security perspective, but I’d say the dangers of uncontrolled (or under-controlled) AI. Let me put it this way: so much of our lives are touched by (if not dependent on) technology. Machines transport us from place to place. They process our food, treat our water, administer health care, and control our most dangerous weapons. And AI is being used more and more in these automated systems, agentic AI. Uncompromised AI is a problem big enough for policymakers and technologists to tackle from a quality and ethical perspective. A bad actor compromising AI is something cybersecurity professionals need to vigilantly defend against by protecting the logic models and the integrity of the underlying data.
How do you measure whether your security program is actually working?
I have experienced a lot of ways to measure a security program. The federal government is great at dictating measures and metrics. I’ve measured % of assets that have (current buzzword) security control applied. Time to patch. Number of incidents. Number of employees who failed phishing exercises. And many more.
I was fortunate to have the opportunity to contribute items to my own performance plan. The one I thought best, holistically, measured the program I called the “No surprises” element, and I believe it is the most important.
It stated that the business/agency did not experience a disruptive incident due to a weakness or flaw in the cybersecurity program that had not previously been brought to leadership’s attention.
What advice would you give to someone stepping into their first CISO role today?
Listen and learn first. Arrange meetings with a range of people across the organization and listen to what is important to them. Learn what success means for the organization.
As CISO, you are not there to provide security. You are there to help ensure organizational success. You do that by ensuring cybersecurity risk is at an acceptable level for informed organizational leadership.
What do you think will matter less in security five to ten years from now?
This is already happening, but less importance will be placed on time-based reviews (e.g., annual assessments) that result in 50 to 100 or more-page reports. The threat landscape moves way too fast for that. We will see a pivot continue and intensify to more real-time continuous monitoring and mitigations. Here, most likely, my boogeyman AI will help defenders by analyzing vast amounts of events and alerts to identify attacks (many of which will be AI-generated) and take immediate responsive actions to prevent, eradicate, and/or recover.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Destroying Terminators! Kidding (I hope). I think security teams will be a combination of AI agents doing the lower-level work directed by a cadre of human managers skilled in both cybersecurity disciplines and in AI prompting. So, to more directly answer the question, I see teams taking a higher-level view of the environment through AI-generated, real-time views and interacting with AI agents in near real time to manage prevention, response, and/or recovery from cyber incidents.