Cybersecurity is often viewed through the lens of controls, compliance, and incident response, but its real value is much broader. In CISO Diaries, we speak with security leaders around the world to understand how they approach the role beyond the technical domain, particularly on how they make decisions, manage uncertainty, and align security with business resilience. The series explores the routines, habits, and perspectives that shape modern security leadership, revealing the human judgment behind the frameworks.
As the role of the CISO continues to expand, the job is increasingly about more than protecting systems. It is about enabling continuity, supporting operational efficiency, and helping organizations make better decisions in the face of complexity. Through these conversations, CISO Diaries highlights how security leaders are not just defending against risk, but helping shape strategy, culture, and long-term competitive advantage.
About Stefano Pasotti
Stefano Pasotti is CISO and ICT Manager at DN Automotive Italy, where he leads cybersecurity, IT infrastructure, and digitalization initiatives across European operations. His career spans software development, strategic IT leadership, and cybersecurity, with deep experience connecting technology decisions to business outcomes across manufacturing and logistics environments, including WMS, production planning, EDI, and IoT integration.
Known for his pragmatic and strategic approach, Stefano views cybersecurity not as a cost center, but as a driver of resilience, efficiency, and competitive advantage. His perspective is shaped by operating in multinational environments where security requires not only technical expertise, but cultural alignment, regulatory awareness, and careful communication. Through that lens, he brings a leadership approach grounded in discipline, continuous learning, and the belief that effective security is inseparable from sound business strategy.
How do you usually explain what you do to someone outside of cybersecurity?
I say I’m the person who makes sure the company can keep doing what it does, even when something goes wrong. I think of my role as building the immune system of an organization: you don’t notice it when it works, but everything falls apart when it stops. My goal is that nobody notices.”
What does a “routine” workday look like for you, if such a thing exists?
A typical day doesn’t really exist, but there is a pattern that repeats. I try to dedicate the morning to things that require focus: analysis, documentation, decisions I can’t make in a rush. The rest of the day is meetings, escalations, and requests that arrive without warning. I have responsibility for the European sites of a multinational, which means problems come from different directions and rarely wait. What I’ve learned is that you don’t manage the day by trying to control it — you manage it by knowing what you can’t postpone.
What part of your role takes the most mental energy right now?
Aligning business needs with security requirements in a complex cultural and regulatory environment. I work in a multinational where different corporate cultures coexist alongside an ever-evolving European regulatory framework. Explaining why in Europe we need specific policies, dedicated tools, and an approach calibrated to the local context, without it looking like resistance to the business, requires energy, diplomacy, and very careful communication. It’s not a technical problem. It’s a cultural difference, and those are often the hardest to manage.
What’s one security habit or routine you personally never skip? (Work or personal.)
Every day, I set aside time to stay updated on the latest cybersecurity news. I don’t experience it as a professional obligation, but as a genuine habit, almost a reflex. The threat landscape changes continuously, and anyone who stops keeping up, even for just a few days, risks making decisions based on a picture of the world that no longer exists. I do it in the morning, before the operational day absorbs me. It’s my way of staying sharp on what matters.
What does your own personal security setup look like? (Password manager, MFA, backups, devices, at a high level.)
I follow the fundamentals rigorously and consistently. I use a password manager for all accounts, no recycled passwords. MFA is enabled wherever it’s supported, preferably through an authenticator app rather than SMS. Regular backups and immediate updates as soon as they’re available. Nothing exotic; just discipline applied consistently. I often tell my colleagues that security isn’t measured by the tools you have, but by how systematically you use them.
What book, podcast, or resource has influenced how you think about leadership or security? (Doesn’t have to be technical.)
A book that has influenced me a lot, and that has nothing technical about it, is ‘The 5 AM Club’ by Robin Sharma. The core idea is simple: the first hours of the day are the most valuable, and how you use them determines the quality of everything else. For me, it translated into a morning routine where, before the operational day absorbs me, I catch up on the latest cybersecurity news, reflect on priorities, and prepare mentally. In a role like mine, where urgencies arrive without warning, having that window of clarity every morning makes a real difference.
What’s a lesson you learned the hard way in your career?
Not to trust solutions that only look good on paper. Early in my career, I tended to take for granted that a well-designed and documented solution would work as expected. I learned that’s not always the case. Reality has its own opinion, and it often doesn’t match the vendor’s or the designer’s. Since then, I don’t put anything into production without testing it under real conditions, and I repeat the tests periodically. Systems change, environments evolve, and a solution that worked six months ago might not work today. Tests aren’t a formality: they’re the only way to really know how a system behaves when things don’t go as planned. And in security, things don’t go as planned more often than you’d think.
What keeps you up at night right now, from a security perspective?
The event I didn’t know how to anticipate. Not the known risk that you manage, monitor, and build countermeasures around. What keeps me up is the scenario I haven’t imagined: a serious problem, one that brings production and the business to a halt, coming from a direction I hadn’t considered. I work in the automotive industry, where a production line that stops has immediate and concrete consequences, not just internally, but across the entire supply chain. That awareness doesn’t paralyze me. In fact, it pushes me to test, to simulate, to question my own assumptions. But the idea that there might be a blind spot I haven’t found yet; that’s what I think about.”
How do you measure whether your security program is actually working?
Measuring the real effectiveness of a security program is still an open problem in our industry. What I do is observe indirect signals: how the organization reacts when something goes wrong, whether periodic tests give results consistent with expectations, and whether the business perceives security as an ally or an obstacle. It’s not a scientific measurement; it’s a continuous assessment. And I believe that acknowledging this complexity is already part of the answer.
What advice would you give to someone stepping into their first CISO role today?
The cybersecurity world is one of the most vast and rapidly evolving I know. My advice is simple: never stop learning. Read, attend events, take courses, and compare notes with other professionals. Not because it helps your CV, but because the day you think you know enough is the day you start falling behind. I follow a structured training program myself, because I’m convinced that even someone with years of experience always has something to learn. For me, curiosity is a skill.
What do you think will matter less in security five to ten years from now?
The manual management of security controls. Many of the activities we invest significant time and energy in today, such as vulnerability scanning, patch management, and alert monitoring, will be largely automated. They won’t disappear, but they’ll become commodities: you buy them, configure them, let them run. The value of the CISO will no longer lie in those activities, but in the ability to interpret context, make decisions in ambiguous situations, and communicate risk to people without a technical background. The technical part gets automated. The human part doesn’t.
Looking ahead 10 years, what do you believe security teams will spend most of their time on that they don’t today?
Making precise predictions ten years out in a field like this is, honestly, a form of madness. Technological evolution doesn’t follow a straight line; it follows an exponential curve. What I can say is that many things will change, and they’ll change faster than we think. AI will play a fundamental role in many processes on both the attacker’s and the defender’s sides. But if I have to point to where I believe the focus will shift, I’d say governance: understanding who decides what, how, and why, even when the one deciding is an automated system. Not so much protecting machines, but governing the decisions they make.