Cybersecurity programs are often judged by the tools they deploy or the threats they block, but lasting resilience depends on making disciplined decisions about where to focus time, budget, and attention. As Chief Security Officer at Erste Magyarország, Peter Egyed believes effective security leadership starts with prioritization, investing in controls that deliver measurable risk reduction, applying policies consistently across the organization, and avoiding unnecessary complexity.
In this edition of CISO Tips, Egyed shares practical advice drawn from years of security leadership. He explains why CISOs should validate a vendor’s real-world impact before making a purchase, why no employee (including the CEO) should receive exceptions to security processes, and how staying calm during the opening minutes of an incident leads to better decisions. His insights reinforce a simple but powerful principle: strong cybersecurity is built on consistency, focus, and clear priorities.
Complete this sentence: “Before you buy any new security tool, first…”
Be sure that the product or service has a real impact and risk mitigation effect for your organization. Secondly, be sure you are not duplicating an already existing feature in your infrastructure. It seems stupid, but I’ve seen this mistake so many times.
What’s one rule you enforce on your team that other teams would find strict?
No exceptions with people. Everyone in the organization must go through the same security procedures to obtain anything. So even if a CEO asks you to bypass some rules, don’t do it!
What’s a number or ratio that guides how you allocate budget, headcount, or your own time?
Security people’s life is always about prioritization. Try to prioritize your 3-4 most important problems and don’t let low-priority events mislead your attention.
What’s one line that works when asking the board or CFO for a budget?
The cost of risk mitigation is much lower than the impact on the organization in case the negative event we try to prevent occurs.
What should a CISO cut from their program tomorrow with zero regret?
Low-priority or low-impact targets that are in the “nice to have” category or are in the “must do but zero benefit” category.
What’s your 60-second test for whether a vendor pitch is worth your time?
Show me 2 real-world use cases that has positive impact on your previous customers.
What’s one meeting, report, or process you eliminated, and what replaced it?
Those meetings that could be an email.
In the first 10 minutes of an incident, what’s the one action teams most often skip?
Be calm and get the biggest picture available.
What’s one question every CISO should ask their team this week?
Where are the difficulties and problems where you need my help?
What’s a phrase or framing you use to translate a technical risk for executives?
Risk Vs. Probability Vs. Impact in a simple way. If we don’t do that, there is a real chance this will happen, but we can mitigate it that way, and there is a cost to it compared to the cost of the negative impact.
What’s your best tip for surviving the CISO role in exactly five words?
Consistency, Focus, Priorities, Strategy, Coffee (a lot)


