<?xml version="1.0" encoding="UTF-8"?><rss xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:atom="http://www.w3.org/2005/Atom" version="2.0" xmlns:itunes="http://www.itunes.com/dtds/podcast-1.0.dtd" xmlns:googleplay="http://www.google.com/schemas/play-podcasts/1.0"><channel><title><![CDATA[CISO HQ : CISO Tips]]></title><description><![CDATA[CISO Tips is an interview series where security leaders answer eleven pointed questions about how they run their programs. Each edition captures the practical advice a CISO would share with a peer over coffee: budget ratios, vendor tests, incident habits, and board-ready one-liners.]]></description><link>https://www.cisohq.io/s/ciso-tips</link><image><url>https://substackcdn.com/image/fetch/$s_!T2is!,w_256,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F802272e2-c335-4db1-835a-9f659f19ffba_1280x1280.png</url><title>CISO HQ : CISO Tips</title><link>https://www.cisohq.io/s/ciso-tips</link></image><generator>Substack</generator><lastBuildDate>Wed, 08 Jul 2026 13:14:15 GMT</lastBuildDate><atom:link href="https://www.cisohq.io/feed" rel="self" type="application/rss+xml"/><copyright><![CDATA[Media Network]]></copyright><language><![CDATA[en]]></language><webMaster><![CDATA[cisohq@substack.com]]></webMaster><itunes:owner><itunes:email><![CDATA[cisohq@substack.com]]></itunes:email><itunes:name><![CDATA[Media Network]]></itunes:name></itunes:owner><itunes:author><![CDATA[Media Network]]></itunes:author><googleplay:owner><![CDATA[cisohq@substack.com]]></googleplay:owner><googleplay:email><![CDATA[cisohq@substack.com]]></googleplay:email><googleplay:author><![CDATA[Media Network]]></googleplay:author><itunes:block><![CDATA[Yes]]></itunes:block><item><title><![CDATA[CISO Tips: Tarik Ustuner on Fixing the Locks Before Buying Alarms]]></title><description><![CDATA[CISO Tarik Ustuner shares tips on the 80/20 hygiene rule, tool utilization, vendor tests, and staying calm in the first minutes of a breach.]]></description><link>https://www.cisohq.io/p/ciso-tips-tarik-ustuner</link><guid isPermaLink="false">https://www.cisohq.io/p/ciso-tips-tarik-ustuner</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Wed, 08 Jul 2026 10:12:49 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!caKQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!caKQ!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!caKQ!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 424w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 848w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 1272w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!caKQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp" width="1200" height="720" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:720,&quot;width&quot;:1200,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:211432,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/webp&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/206014330?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!caKQ!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 424w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 848w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 1272w, https://substackcdn.com/image/fetch/$s_!caKQ!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F00e139d7-34bd-49fc-91c3-d2a1f3b88fc7_1200x720.webp 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><p><a href="https://www.linkedin.com/in/tustuner/">Tarik Ustuner</a> is the Chief Information Security Officer at <a href="https://www.bybit.tr/tr-TUR/">Bybit TR</a>, where he is responsible for safeguarding the organization&#8217;s information systems in a high-stakes, fast-moving financial environment. In his role, Tarik designs and implements robust security protocols, works closely with internal teams to identify and mitigate vulnerabilities, and strengthens compliance with industry standards, driving measurable reductions in security incidents along the way. Known for his pragmatic, action-oriented mindset, Tarik approaches cybersecurity as a living discipline: one that requires a deep understanding of the business, constant awareness of the evolving threat landscape, and the resilience to respond decisively when it matters most.</p><p><strong>1. Complete this sentence: &#8220;Before you buy any new security tool, first...&#8221;</strong></p><p>Audit your existing tech stack to see what&#8217;s already capable of doing the exact same thing but was never fully deployed. Most security gaps are caused by 20% tool utilization, not a lack of tools.</p><p><strong>2. What&#8217;s one rule you enforce on your team that other teams would find strict?</strong></p><p>We enforce a strict &#8220;no manual changes in production&#8221; rule. Even during a high-severity incident, no one is allowed to hotfix code or configurations directly on live servers. Everything must go through the CI/CD pipeline and automated checks. Other departments think it slows us down during a crisis, but it prevents a bad situation from becoming a catastrophe.</p><p><strong>3. What&#8217;s a number or ratio that guides how you allocate budget, headcount, or your own time?</strong></p><p>The 80/20 rule. I dedicate 80% of my budget and team focus to rock-solid cyber hygiene: patch management, identity protection, and visibility. The remaining 20% goes to advanced tools and proactive threat hunting. There is no point in buying a state-of-the-art security system if your front door doesn&#8217;t lock.</p><p><strong>4. What&#8217;s one line that works when asking the board or CFO for a budget?</strong></p><p>&#8220;This budget isn&#8217;t a guarantee that we will never be breached; it&#8217;s an investment to ensure that when a breach happens, our business recovery time drops from three weeks to three hours.&#8221;</p><p><strong>5. What should a CISO cut from their program tomorrow with zero regret?</strong></p><p>Those annual, boring, compliance-driven security awareness videos that everyone mutes. No one ever stopped clicking on a phishing link because of a slide deck. Replace them with real-time, bite-sized, interactive simulation triggers.</p><p><strong>6. What&#8217;s your 60-second test for whether a vendor pitch is worth your time?</strong></p><p>In the first 60 seconds, they need to talk about my specific business problem, not their product features. If the pitch starts with buzzwords like &#8220;AI-driven, revolutionary, next-gen paradigm shift,&#8221; my clock runs out and the meeting is practically over.</p><p><strong>7. What&#8217;s one meeting, report, or process you eliminated, and what replaced it?</strong></p><p>I killed the traditional two-hour Monday status update meeting and replaced it with a 15-minute daily stand-up. I also eliminated the 40-page monthly PDF security report, replacing it with a single, dynamic executive risk dashboard.</p><p><strong>8. In the first 10 minutes of an incident, what&#8217;s the one action teams most often skip?</strong></p><p>Taking a breath and documenting the initial blast radius. Teams usually panic and rush to patch things or kill servers immediately. In doing so, they often destroy vital logs and evidence. The first 10 minutes should strictly be about calm containment and logging what is currently happening.</p><p><strong>9. What&#8217;s one question every CISO should ask their team this week?</strong></p><p>&#8220;What is the one control or system we trust the most right now, and when was the last time we actually tried to break it ourselves?&#8221;</p><p><strong>10. What&#8217;s a phrase or framing you use to translate a technical risk for executives?</strong></p><p>I strip out the technical jargon and translate it into operational downtime: &#8220;This vulnerability doesn&#8217;t just mean an unpatched server; it means our primary revenue engine goes dark for 48 hours, costing us roughly fifty thousand dollars an hour.&#8221;</p><p><strong>11. What&#8217;s your best tip for surviving the CISO role in exactly five words?</strong></p><p>Own risk management, not risk.</p><p>See the other tips shared by other CISOs:</p><ul><li><p><a href="https://www.cisohq.io/p/ciso-tips-shady-shaker-on-the-7030">CISO Tips: Shady Shaker on the 70/30 Rule and Discipline That Scales</a></p></li><li><p><a href="https://www.cisohq.io/p/ciso-tips-dr-adeel-shaikh-muhammad">CISO Tips: Dr. Adeel Shaikh Muhammad on Ownership Before Everything</a></p></li></ul><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p>]]></content:encoded></item><item><title><![CDATA[CISO Tips: Dr. Adeel Shaikh Muhammad on Ownership Before Everything]]></title><description><![CDATA[Dr. Adeel Shaikh Muhammad shares CISO tips on tool ownership, budget balance, vendor tests, incident command, and cutting what changes nothing.]]></description><link>https://www.cisohq.io/p/ciso-tips-dr-adeel-shaikh-muhammad</link><guid isPermaLink="false">https://www.cisohq.io/p/ciso-tips-dr-adeel-shaikh-muhammad</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Wed, 08 Jul 2026 10:03:58 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!m6Rd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!m6Rd!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!m6Rd!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 424w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 848w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!m6Rd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg" width="800" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:800,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:241896,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/206012546?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!m6Rd!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 424w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 848w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!m6Rd!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F977e4f8f-d931-456a-8759-4e7538a683af_800x800.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><p><a href="https://www.linkedin.com/in/shadeel/">Dr. Adeel Shaikh Muhammad</a> is a cybersecurity leader, author, researcher, and international speaker specializing in AI-driven security operations, cyber risk, governance, and enterprise security strategy. He has advised organizations across the GCC and beyond on SOC transformation, AI governance, security architecture, compliance, and cyber resilience. He is the author of AI-Driven Transformation of the SOC and SecOps and frequently speaks on the intersection of cybersecurity, AI, governance, and leadership.</p><p><strong>1. Complete this sentence: &#8220;Before you buy any new security tool, first...&#8221;</strong></p><p>Before you buy any new security tool, first define the exact risk, business outcome, and operating owner it is meant to support. A tool without ownership becomes shelfware very quickly.</p><p><strong>2. What&#8217;s one rule you enforce on your team that other teams would find strict?</strong></p><p>No critical security decision should be based only on a dashboard or vendor score. I expect the team to validate context, business impact, and real exploitability before escalating or closing a risk.</p><p><strong>3. What&#8217;s a number or ratio that guides how you allocate budget, headcount, or your own time?</strong></p><p>I like to balance security investment across three areas: prevention, detection, and response. If most of the budget is going only into prevention tools, the program usually becomes blind during real incidents.</p><p><strong>4. What&#8217;s one line that works when asking the board or CFO for a budget?</strong></p><p>&#8220;This is not a technology expense; it is a risk reduction investment tied to business continuity, regulatory exposure, and customer trust.&#8221;</p><p><strong>5. What should a CISO cut from their program tomorrow with zero regret?</strong></p><p>Any report, meeting, or tool that does not change a decision, reduce a risk, or improve response capability. Security teams are often overloaded by activity that looks productive but does not improve resilience.</p><p><strong>6. What&#8217;s your 60-second test for whether a vendor pitch is worth your time?</strong></p><p>I ask: &#8220;What specific risk do you reduce, how do you prove it, and what will my team need to operate it after purchase?&#8221; If the answer is only buzzwords, it is not worth the time.</p><p><strong>7. What&#8217;s one meeting, report, or process you eliminated, and what replaced it?</strong></p><p>I have replaced long status meetings with risk-based decision updates. Instead of discussing every open item, the focus becomes: what risk changed, what decision is needed, and who owns the next action.</p><p><strong>8. In the first 10 minutes of an incident, what&#8217;s the one action teams most often skip?</strong></p><p>They often skip assigning a clear incident commander. Without one accountable lead, teams lose time debating actions, duplicating work, or communicating inconsistently.</p><p><strong>9. What&#8217;s one question every CISO should ask their team this week?</strong></p><p>&#8220;If this control fails today, how quickly would we know, who would respond, and what evidence would prove it worked?&#8221;</p><p><strong>10. What&#8217;s a phrase or framing you use to translate a technical risk for executives?</strong></p><p>I translate technical risk into business impact: &#8220;This is the path from a technical weakness to financial loss, operational disruption, regulatory exposure, or reputational damage.&#8221;</p><p><strong>11. What&#8217;s your best tip for surviving the CISO role in exactly five words?</strong></p><p>Prioritize risk, people, and clarity.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><p>For more CISO Tips, read <a href="https://www.cisohq.io/p/ciso-tips-shady-shaker-on-the-7030">Shady Shaker&#8217;s 70/30 Rule and take on discipline.</a></p><p></p>]]></content:encoded></item><item><title><![CDATA[CISO Tips: Shady Shaker on the 70/30 Rule and Discipline That Scales]]></title><description><![CDATA[Shady Shaker of PwC Egypt shares his 70/30 budget rule, strict change controls, and practical CISO tips on vendors, incidents, and board buy-in.]]></description><link>https://www.cisohq.io/p/ciso-tips-shady-shaker-on-the-7030</link><guid isPermaLink="false">https://www.cisohq.io/p/ciso-tips-shady-shaker-on-the-7030</guid><dc:creator><![CDATA[John Kevin Hao]]></dc:creator><pubDate>Tue, 07 Jul 2026 11:06:04 GMT</pubDate><enclosure url="https://substackcdn.com/image/fetch/$s_!2z8J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg" length="0" type="image/jpeg"/><content:encoded><![CDATA[<div class="captioned-image-container"><figure><a class="image-link image2 is-viewable-img" target="_blank" href="https://substackcdn.com/image/fetch/$s_!2z8J!,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg" data-component-name="Image2ToDOM"><div class="image2-inset"><picture><source type="image/webp" srcset="https://substackcdn.com/image/fetch/$s_!2z8J!,w_424,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 424w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_848,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 848w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_1272,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_1456,c_limit,f_webp,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 1456w" sizes="100vw"><img src="https://substackcdn.com/image/fetch/$s_!2z8J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg" width="800" height="800" data-attrs="{&quot;src&quot;:&quot;https://substack-post-media.s3.amazonaws.com/public/images/0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg&quot;,&quot;srcNoWatermark&quot;:null,&quot;fullscreen&quot;:null,&quot;imageSize&quot;:null,&quot;height&quot;:800,&quot;width&quot;:800,&quot;resizeWidth&quot;:null,&quot;bytes&quot;:142016,&quot;alt&quot;:null,&quot;title&quot;:null,&quot;type&quot;:&quot;image/jpeg&quot;,&quot;href&quot;:null,&quot;belowTheFold&quot;:false,&quot;topImage&quot;:true,&quot;internalRedirect&quot;:&quot;https://www.cisohq.io/i/205749434?img=https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg&quot;,&quot;isProcessing&quot;:false,&quot;align&quot;:null,&quot;offset&quot;:false}" class="sizing-normal" alt="" srcset="https://substackcdn.com/image/fetch/$s_!2z8J!,w_424,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 424w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_848,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 848w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_1272,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 1272w, https://substackcdn.com/image/fetch/$s_!2z8J!,w_1456,c_limit,f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fsubstack-post-media.s3.amazonaws.com%2Fpublic%2Fimages%2F0649e7d1-8454-4180-9a14-899b3b04e866_800x800.jpeg 1456w" sizes="100vw" fetchpriority="high"></picture><div class="image-link-expand"><div class="pencraft pc-display-flex pc-gap-8 pc-reset"><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container restack-image"><svg role="img" width="20" height="20" viewBox="0 0 20 20" fill="none" stroke-width="1.5" stroke="var(--color-fg-primary)" stroke-linecap="round" stroke-linejoin="round" xmlns="http://www.w3.org/2000/svg"><g><title></title><path d="M2.53001 7.81595C3.49179 4.73911 6.43281 2.5 9.91173 2.5C13.1684 2.5 15.9537 4.46214 17.0852 7.23684L17.6179 8.67647M17.6179 8.67647L18.5002 4.26471M17.6179 8.67647L13.6473 6.91176M17.4995 12.1841C16.5378 15.2609 13.5967 17.5 10.1178 17.5C6.86118 17.5 4.07589 15.5379 2.94432 12.7632L2.41165 11.3235M2.41165 11.3235L1.5293 15.7353M2.41165 11.3235L6.38224 13.0882"></path></g></svg></button><button tabindex="0" type="button" class="pencraft pc-reset pencraft icon-container view-image"><svg xmlns="http://www.w3.org/2000/svg" width="20" height="20" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" class="lucide lucide-maximize2 lucide-maximize-2"><polyline points="15 3 21 3 21 9"></polyline><polyline points="9 21 3 21 3 15"></polyline><line x1="21" x2="14" y1="3" y2="10"></line><line x1="3" x2="10" y1="21" y2="14"></line></svg></button></div></div></div></a></figure></div><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p><p><a href="https://www.linkedin.com/in/shady-shaker/">Shady Shaker</a> is a Senior Manager in Cyber Security at PwC Egypt, with more than 20 years of experience in cybersecurity, information security, and risk management. He has spent more than seven years supporting CISO functions, leading initiatives across cybersecurity strategy, security programs, governance, risk and compliance (GRC), and regulatory compliance. He helps organizations strengthen cyber resilience, manage emerging risks, and align security programs with business objectives.</p><p><strong>1. Complete this sentence: &#8220;Before you buy any new security tool, first...&#8221;</strong></p><p>Conduct cybersecurity due diligence on all prospective vendors offering similar tools, verify their security certifications and the scope of those certifications, ensure the tool&#8217;s capabilities directly support the specific compliance requirements and use cases you are targeting, confirm that robust implementation and ongoing support services are available, and require a proof of concept (POC) to validate the tool&#8217;s capabilities in your environment.</p><p><strong>2. What&#8217;s one rule you enforce on your team that other teams would find strict?</strong></p><ul><li><p>Enforcement against shadow IT and shadow AI, by establishing clear acceptable-use rules that define which AI tools and BYOD devices are approved and permitted, which data can be used, and which business roles may use external AI services.</p></li><li><p>No production change or new integration may go live unless it goes through the change management process, including a documented security review and explicit approval from the security team, regardless of who owns the system or how minor the change may appear.</p></li></ul><p><strong>3. What&#8217;s a number or ratio that guides how you allocate budget, headcount, or your own time?</strong></p><p>My usual advice is to keep about 70 percent of budget and headcount focused on keeping current controls effective: monitoring, incident response, patching, compliance operations, and essential tooling. The remaining 30 percent goes to strategic improvements, automation, and innovation.</p><p><strong>4. What&#8217;s one line that works when asking the board or CFO for a budget?</strong></p><p>This isn&#8217;t a request for security spend; it&#8217;s an investment to prevent or reduce the risk of a quantifiable loss of X and to protect Y% of our revenue-critical operations.</p><p><strong>5. What should a CISO cut from their program tomorrow with zero regret?</strong></p><ul><li><p>Anything, or any control, that doesn&#8217;t reduce risk or support compliance.</p></li><li><p>Unused or redundant tools.</p></li></ul><p><strong>6. What&#8217;s your 60-second test for whether a vendor pitch is worth your time?</strong></p><p>If the vendor doesn&#8217;t understand the problem, or the tool doesn&#8217;t actually address it.</p><p><strong>7. What&#8217;s one meeting, report, or process you eliminated, and what replaced it?</strong></p><p>The most important thing is to maintain a concise security dashboard supported by a brief written update.</p><p><strong>8. In the first 10 minutes of an incident, what&#8217;s the one action teams most often skip?</strong></p><p>Documenting what is actually happening before they start &#8220;fixing&#8221; things, and communicating the incident.</p><p><strong>9. What&#8217;s one question every CISO should ask their team this week?</strong></p><p>Understand the existing roadblocks to implementing new tools, identify where time-to-value can be shortened by simplifying processes, and pinpoint manual tasks that can be automated.</p><p><strong>10. What&#8217;s a phrase or framing you use to translate a technical risk for executives?</strong></p><p>Translate technical risks into business risks and their financial impact.</p><p><strong>11. What&#8217;s your best tip for surviving the CISO role in exactly five words?</strong></p><p>Watch threats from emerging technologies.</p><p class="button-wrapper" data-attrs="{&quot;url&quot;:&quot;https://www.cisohq.io/subscribe?&quot;,&quot;text&quot;:&quot;Subscribe now&quot;,&quot;action&quot;:null,&quot;class&quot;:null}" data-component-name="ButtonCreateButton"><a class="button primary" href="https://www.cisohq.io/subscribe?"><span>Subscribe now</span></a></p>]]></content:encoded></item></channel></rss>