Tarik Ustuner is the Chief Information Security Officer at Bybit TR, where he is responsible for safeguarding the organization’s information systems in a high-stakes, fast-moving financial environment. In his role, Tarik designs and implements robust security protocols, works closely with internal teams to identify and mitigate vulnerabilities, and strengthens compliance with industry standards, driving measurable reductions in security incidents along the way. Known for his pragmatic, action-oriented mindset, Tarik approaches cybersecurity as a living discipline: one that requires a deep understanding of the business, constant awareness of the evolving threat landscape, and the resilience to respond decisively when it matters most.
1. Complete this sentence: “Before you buy any new security tool, first...”
Audit your existing tech stack to see what’s already capable of doing the exact same thing but was never fully deployed. Most security gaps are caused by 20% tool utilization, not a lack of tools.
2. What’s one rule you enforce on your team that other teams would find strict?
We enforce a strict “no manual changes in production” rule. Even during a high-severity incident, no one is allowed to hotfix code or configurations directly on live servers. Everything must go through the CI/CD pipeline and automated checks. Other departments think it slows us down during a crisis, but it prevents a bad situation from becoming a catastrophe.
3. What’s a number or ratio that guides how you allocate budget, headcount, or your own time?
The 80/20 rule. I dedicate 80% of my budget and team focus to rock-solid cyber hygiene: patch management, identity protection, and visibility. The remaining 20% goes to advanced tools and proactive threat hunting. There is no point in buying a state-of-the-art security system if your front door doesn’t lock.
4. What’s one line that works when asking the board or CFO for a budget?
“This budget isn’t a guarantee that we will never be breached; it’s an investment to ensure that when a breach happens, our business recovery time drops from three weeks to three hours.”
5. What should a CISO cut from their program tomorrow with zero regret?
Those annual, boring, compliance-driven security awareness videos that everyone mutes. No one ever stopped clicking on a phishing link because of a slide deck. Replace them with real-time, bite-sized, interactive simulation triggers.
6. What’s your 60-second test for whether a vendor pitch is worth your time?
In the first 60 seconds, they need to talk about my specific business problem, not their product features. If the pitch starts with buzzwords like “AI-driven, revolutionary, next-gen paradigm shift,” my clock runs out and the meeting is practically over.
7. What’s one meeting, report, or process you eliminated, and what replaced it?
I killed the traditional two-hour Monday status update meeting and replaced it with a 15-minute daily stand-up. I also eliminated the 40-page monthly PDF security report, replacing it with a single, dynamic executive risk dashboard.
8. In the first 10 minutes of an incident, what’s the one action teams most often skip?
Taking a breath and documenting the initial blast radius. Teams usually panic and rush to patch things or kill servers immediately. In doing so, they often destroy vital logs and evidence. The first 10 minutes should strictly be about calm containment and logging what is currently happening.
9. What’s one question every CISO should ask their team this week?
“What is the one control or system we trust the most right now, and when was the last time we actually tried to break it ourselves?”
10. What’s a phrase or framing you use to translate a technical risk for executives?
I strip out the technical jargon and translate it into operational downtime: “This vulnerability doesn’t just mean an unpatched server; it means our primary revenue engine goes dark for 48 hours, costing us roughly fifty thousand dollars an hour.”
11. What’s your best tip for surviving the CISO role in exactly five words?
Own risk management, not risk.
See the other tips shared by other CISOs:


