CISO Tips: Shady Shaker on the 70/30 Rule and Discipline That Scales
Shady Shaker is a Senior Manager in Cyber Security at PwC Egypt, with more than 20 years of experience in cybersecurity, information security, and risk management. He has spent more than seven years supporting CISO functions, leading initiatives across cybersecurity strategy, security programs, governance, risk and compliance (GRC), and regulatory compliance. He helps organizations strengthen cyber resilience, manage emerging risks, and align security programs with business objectives.
1. Complete this sentence: “Before you buy any new security tool, first...”
Conduct cybersecurity due diligence on all prospective vendors offering similar tools, verify their security certifications and the scope of those certifications, ensure the tool’s capabilities directly support the specific compliance requirements and use cases you are targeting, confirm that robust implementation and ongoing support services are available, and require a proof of concept (POC) to validate the tool’s capabilities in your environment.
2. What’s one rule you enforce on your team that other teams would find strict?
Enforcement against shadow IT and shadow AI, by establishing clear acceptable-use rules that define which AI tools and BYOD devices are approved and permitted, which data can be used, and which business roles may use external AI services.
No production change or new integration may go live unless it goes through the change management process, including a documented security review and explicit approval from the security team, regardless of who owns the system or how minor the change may appear.
3. What’s a number or ratio that guides how you allocate budget, headcount, or your own time?
My usual advice is to keep about 70 percent of budget and headcount focused on keeping current controls effective: monitoring, incident response, patching, compliance operations, and essential tooling. The remaining 30 percent goes to strategic improvements, automation, and innovation.
4. What’s one line that works when asking the board or CFO for a budget?
This isn’t a request for security spend; it’s an investment to prevent or reduce the risk of a quantifiable loss of X and to protect Y% of our revenue-critical operations.
5. What should a CISO cut from their program tomorrow with zero regret?
Anything, or any control, that doesn’t reduce risk or support compliance.
Unused or redundant tools.
6. What’s your 60-second test for whether a vendor pitch is worth your time?
If the vendor doesn’t understand the problem, or the tool doesn’t actually address it.
7. What’s one meeting, report, or process you eliminated, and what replaced it?
The most important thing is to maintain a concise security dashboard supported by a brief written update.
8. In the first 10 minutes of an incident, what’s the one action teams most often skip?
Documenting what is actually happening before they start “fixing” things, and communicating the incident.
9. What’s one question every CISO should ask their team this week?
Understand the existing roadblocks to implementing new tools, identify where time-to-value can be shortened by simplifying processes, and pinpoint manual tasks that can be automated.
10. What’s a phrase or framing you use to translate a technical risk for executives?
Translate technical risks into business risks and their financial impact.
11. What’s your best tip for surviving the CISO role in exactly five words?
Watch threats from emerging technologies.


