Cybersecurity leadership often gets framed around technology stacks, breaches, or compliance checklists, but the day-to-day reality of a CISO is far more nuanced. CISO Diaries dives into the routines, habits, and strategic thinking of the world’s leading CISOs, revealing how they balance protection, business objectives, and evolving threats. Through candid conversations, the series highlights the human side of cybersecurity leadership: decision-making under uncertainty, prioritizing risk, fostering resilience, and enabling organizations to move forward securely.
About the Interviewee: Shady Shaker
Shady Shaker is a seasoned cloud and cybersecurity professional with nearly two decades of experience across compute, VMware, storage, backup, and network security technologies. Currently serving as Cybersecurity Risk Senior Manager at PwC ETIC, Shady advises CISOs in the financial sector on regulatory compliance, risk management, M&A due diligence, and business continuity. He leads teams in GRC, project management, and automation rollout programs, ensuring organizations implement secure, compliant, and resilient solutions. Known for his strategic mindset and practical approach, Shady bridges technical expertise with business outcomes, helping companies navigate complex risks while enabling growth.
How do you usually explain what you do to someone outside of cybersecurity?
By sharing real examples of cyberattacks or data leaks at other companies, and explaining their impact on business, such as financial losses from ransomware or downtime, fines under GDPR, and reputational damage leading to customer loss. Then, I highlight how we play a crucial role in preventing these risks and threats by using:
- Preventive controls (firewalls, access restrictions) to block threats early
- Detective controls (intrusion monitoring) to spot attacks quickly
- Corrective measures (backups, incident response) to recover fast
This layered approach protects data, ensures compliance, and keeps businesses running smoothly and trusted.
What does a “routine” workday look like for you, if such a thing exists?
It’s a mix of strategy, crisis management, and constant communication with stakeholders.
We provide comprehensive support to CISOs in the financial sector across all security-related activities. Our approach begins with a thorough assessment to evaluate the organization’s current security posture and define the target state. Based on this gap analysis, we deliver actionable recommendations through both short-term and long-term plans aligned with the overall business strategy.
In addition, we assist with compliance management by analyzing regulatory requirements, conducting gap assessments, and recommending effective controls and solutions to ensure adherence.
We also support risk assessments for new solutions and third-party engagements, helping organizations to identify and mitigate potential security risks before implementation.
What part of your role takes the most mental energy right now?
The areas that consume the most mental energy for CISOs in the financial sector include:
- Regulatory Compliance: Keeping updated with evolving regulations and ensuring the organization remains compliant. The rapid pace of new compliance obligations creates significant stress in closing gaps identified during assessments within strict deadlines.
- Risk Management: Assessing risks for new technologies, third-party vendors, and emerging threats.
- Incident Response Planning: Preparing for and mitigating potential breaches or cyberattacks.
- Strategic Alignment: Balancing security initiatives with business objectives and budgets.
- Talent & Resource Management: Building and retaining skilled security teams in a competitive market.
What’s one security habit or routine you personally never skip? (Work or personal.)
Keeping myself updated about new threats, new bugs, and zero-day vulnerabilities.
Enabling multi-factor authentication (MFA) wherever possible stands out as the one security routine never skipped, both at work and personally. This simple step adds a critical second verification layer.
Regularly taking a backup to an external hard disk.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
Usually, I am taking monthly backup to an external hard disk and a weekly backup for sensitive data, and using different complex password for each app.
The personal security setup prioritizes layered defenses: a password manager (1Password) for unique, strong credentials across all accounts
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
I usually subscribe to security websites, such as CSO Online, to stay up to date on new threats and risks.
Learning new technologies such as AI is on my top-to-do list.
Learning financials and improving communication skills to bridge the gap between technical and business to get buy-in from executives.
What’s a lesson you learned the hard way in your career?
Managing time effectively to oversee all activities and track each task, including the patch management process and backup success rates.
Regularly test the existing controls to ensure their effectiveness and to prevent any attack by simulating real attacks to test response capabilities and existing controls
What keeps you up at night right now, from a security perspective?
AI-driven autonomous attacks and zero-day vulnerabilities because you can’t patch what you don’t know exists.
How do you measure whether your security program is actually working?
Security programs prove effective through a balanced set of quantitative metrics and KPIs tied to business outcomes such as tickets closed. Leading CISOs track trends in mean time to detect/respond (MTTD/MTTR), threat coverage scores, and risk reduction over time to demonstrate resilience against real attacks.
What advice would you give to someone stepping into their first CISO role today?
New CISOs should prioritize building executive relationships and aligning security with business goals over diving straight into technical details.
Align security initiatives directly with revenue drivers, business, and risk appetite to secure buy-in from the C-suite. Translate cyber risks into financial terms during board reports, emphasizing resilience as a growth enabler.
Moreover, focusing on building a strong and harmonized team by hiring diverse skills, including AI governance and compliance expertise
What do you think will matter less in security five to ten years from now?
In five to ten years, security teams will likely spend far less time on manual perimeter defenses and reactive incident response. Traditional firewalls and signature-based detection will fade as AI automation handles these at scale. Human focus will shift away from routine patching toward strategic oversight.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Security teams will likely spend most of their time managing AI-driven autonomous defenses and quantum-resistant architectures.
By relying on AI to handle routine detections and responses, freeing humans to oversee adaptive systems that mitigate geopolitical threats.