Rocco Barra is a seasoned cybersecurity and technology executive with over 15 years of experience operating at the intersection of IT systems, security, and business transformation. He currently serves as Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) at Aeromeccanica Stranich S.p.A., where he leads both the strategic direction of IT and the governance of cybersecurity risk across the organization.
With a strong foundation in integrating complex digital ecosystems, including ERP, PLM, cloud infrastructure, and SaaS platforms, Rocco brings a systemic, end-to-end view of how technology supports business operations. His dual role enables him to align security with production workflows, operational continuity, and long-term growth initiatives. Known for his pragmatic and people-centric approach, he emphasizes governance, real-world context, and continuous adaptation, ensuring that security is not just a control function, but a driver of resilience and business value.
1. Complete this sentence: “Before you buy any new security tool, first...”
First, define the requirement on paper. Then evaluate the possible use cases and think about a scalable project. Only after these steps should you consider purchasing the solution.
2. What’s one rule you enforce on your team that other teams would find strict?
Every project must be designed offline and documented before implementation.
3. What’s a number or ratio that guides how you allocate budget, headcount, or your own time?
I prefer to evaluate it in reverse. Cybersecurity is not predictable, so I allocate the budget across different areas, measure the impact, and review the results afterwards.
4. What’s one line that works when asking the board or CFO for a budget?
I led the digital transformation of the group, and over time my way of working has built trust. Today, my requests are supported by the results we have already achieved.
5. What should a CISO cut from their program tomorrow with zero regret?
The fear of having to prove that today’s decision will still be the right one in the future. Decisions are made with the information available at that moment. The important thing is to make decisions and adapt when necessary.
6. What’s your 60-second test for whether a vendor pitch is worth your time?
If at least one slide presents a real use case that can be applied to my business, I will continue listening.
7. What’s one meeting, report, or process you eliminated, and what replaced it?
I removed the weekly incident update meeting for each department and replaced it with a live Power BI dashboard.
8. In the first 10 minutes of an incident, what’s the one action teams most often skip?
Updating the ticketing system with the information already discovered. It sounds simple, but it is often forgotten.
9. What’s one question every CISO should ask their team this week?
“Do we really have everything under control?”
10. What’s a phrase or framing you use to translate a technical risk for executives?
I explain risks and security investments using the concept of the corporate perimeter, because it is easy for non-technical managers to understand.
11. What’s your best tip for surviving the CISO role in exactly five words?
Never take anything for granted.
Different desks, different rules. More tips from the series:


