Strong cybersecurity leadership often comes down to resisting complexity rather than adding to it. As Group Chief Information Security Officer at ARZ Haan AG, Nikolas Oelkrug-Alders oversees information security across a highly regulated financial services organization supporting Germany’s healthcare sector. His responsibilities span compliance with frameworks including DORA, BAIT, ISO 27001, BSI C5, and GDPR, while ensuring security remains aligned with broader business objectives.
Drawing on experience across technology, aerospace, power generation, and financial services, Oelkrug-Alders approaches cybersecurity as a business risk that should be managed with discipline, practicality, and clear priorities. In this edition of CISO Tips, he shares why CISOs should focus on getting the fundamentals right, how to evaluate vendors beyond marketing claims, why security teams should act as service providers instead of gatekeepers, and the importance of simplifying processes rather than creating new ones for every emerging threat.
1. Complete this sentence: “Before you buy any new security tool, first...”
…ask whether you can truly embed it in your existing security strategy and actually operate it day-to-day. A tool that nobody has the capacity to run is not a control; it is shelfware. This matters even more in mid-cap and smaller organizations, where every new tool competes for the same scarce attention. If it does not fit your daily processes, it will not make you more secure.
2. What’s one rule you enforce on your team that other teams would find strict?
I would not call it strict, but I insist that security always acts as a service provider, not only as a gatekeeper. Enforcing controls is part of the job, yes, but so is explaining why we do things and how each measure fits the wider security strategy. We cannot expect other business functions to understand that from the requirements alone. If the only thing they ever hear from us is “no”, we have already lost them.
3. What’s a number or ratio that guides how you allocate budget, headcount, or your own time?
Frankly, I distrust the idea of a single magic ratio. Prioritization is hard right now, with so many “new” risks appearing every quarter. My guiding principle is to solidify the basis first. Before I chase the newest threat, I want a clear, rehearsed incident-response capability in place, and I will deliberately spend a disproportionate share of my time on it. Get the fundamentals right, and most of the exotic risks become manageable anyway.
4. What’s one line that works when asking the board or CFO for a budget?
Two things, really. First, information security is just another business risk, and it should be treated as such. Whether we act depends on the potential impact and the effort required to mitigate it. As long as we treat cybersecurity as some separate, special animal, we will always struggle to have the conversation at the board level. Second, and this is the line that tends to land: I do not ask for money; I bring savings, either through risk mitigation or through consolidation.
5. What should a CISO cut from their program tomorrow with zero regret?
The reflex to invent a brand-new process or strategy for every so-called “new risk”, AI being the obvious example. If your current strategy cannot already accommodate something like AI, the problem is your strategy, not the absence of an AI strategy. Bolting on new processes will not help you handle the complexity; it will only add to it.
6. What’s your 60-second test for whether a vendor pitch is worth your time?
I ask myself what this vendor’s actual intellectual property is. Where is the real, hard-won substance? If I could vibe-code an equivalent myself over the weekend, there would be nothing to talk about.
7. What’s one meeting, report, or process you eliminated, and what replaced it?
Several, and the common thread is consolidation and the formation of a clear picture of an incident as early as possible. We simply do not have the time to doom-scroll through logs and manually stitch the pieces together into a case. So that manual triage work is being replaced by automation, at least up to the point where human judgment genuinely adds value.
8. In the first 10 minutes of an incident, what’s the one action teams most often skip?
Breathing. Pausing to focus on what actually matters. Teams skip the simple act of taking a few seconds, or even a couple of minutes, to calm down and think. It feels counterintuitive under pressure, but you make that time back many times over, and you avoid the panic-driven mistakes that turn an incident into a crisis.
9. What’s one question every CISO should ask their team this week?
Of everything we do, does it all truly serve a purpose, and can you name that purpose? If a given activity is not measurably improving our security posture, that is a strong signal we need to re-prioritize.
10. What’s a phrase or framing you use to translate a technical risk for executives?
Almost any technical risk can be translated into a risk we already recognize from everyday life, not only from the business context. People grasp a threat far more quickly when they can relate it to their own home or family. Would you leave your front door unlocked because locking it is inconvenient? That kind of framing does more than any CVSS score ever will.
11. What’s your best tip for surviving the CISO role in exactly five words?
Never settle in, always adapt!


