On leadership and security culture: Be someone people want to work with

“The most valuable advice I can offer is this: strive to be someone people genuinely want to work with.” 

That’s what Bernard Assaf (CISO at Airbus) said when we asked him to share his top advice for early-career cybersecurity professionals. 

Because technical expertise is just one part of the cybersecurity equation; and for Assaf, a leader is defined by their ability to inspire trust and drive cultural change across their organisation. 

Here’s the full conversation – from practical advice on embedding security into development pipelines, to the value of teaching and storytelling. 

In an organisation as large as Airbus, how do you strike a balance between heavy governance and the need for speed in innovation and incident response?

“Striking this balance requires moving from restrictive gatekeeping to an enabling, risk-based framework.

“For innovation, this means embedding automated security guardrails directly into development pipelines. This ‘Shift Left’ approach, providing teams with a secure-by-design architecture, empowers them to move at speed while significantly reducing the long-term costs of rework and compliance.

“As for incident response, governance is front-loaded through well-defined playbooks, documented processes, and regular drills. This rigorous preparation ensures that during an actual incident, the team can act with maximum speed and efficiency, guided by a pre-approved strategy rather than slowed by bureaucracy.” 

How do you leverage your skills in teaching and business comms to improve security awareness across thousands of employees?

“Combining teaching and business communication is in itself a great skill to improve security awareness across a large organisation.

“I believe that storytelling and public speaking are very useful tools to make the threats more relatable, the risks more realistic, and the message more memorable. Rather than focusing on a single delivery method, we need to treat awareness as a continuous, multi-channel campaign, ensuring the message is consistently reinforced.

“This approach empowers all employees; effectively shifting the security culture from a list of requirements to a shared and proactive responsibility.” 

And how do you measure security culture? Are there any indicators or metrics that help you assess if your security culture is becoming truly resilient, beyond simple compliance stats?

“We have to look beyond simple compliance statistics to gauge employee behaviour and engagement. 

“Standard technical metrics are useful, but I prioritise leading indicators that demonstrate a shift in mindset. These include a rise in user-reported phishing attempts, which signals heightened vigilance, alongside a consistent decrease in click-rates on phishing simulations. I also track the volume of proactive security inquiries made by employees to the security team. Together, these data points paint a clear picture of a culture moving from passive compliance to one of active defense.

“It is crucial to frame this cultural transformation as a long-term commitment – it often requires a minimum of three to five years to achieve lasting results. Success is therefore entirely dependent on the security leadership consistently demonstrating patience, empathy, and unwavering integrity.” 

Looking into the future, what capabilities do you think CISOs will need to develop in order to be effective?

“The CISO role will demand a mix of advanced technical and strategic business capabilities.

“On the hard skills side, expertise will shift towards securing AI and machine learning ecosystems, leveraging data analytics to quantify risk, and mastering complex and heterogeneous environments. 

“But the most critical growth will be in soft skills. Advanced business acumen to function as a true C-level peer, the ability to translate cyber risk into business impact understood by the board, and a transformational leadership style focused on motivation and growth.” 

And looking to the past - what's one thing you wish you knew earlier in your career?

“That is a great question, and one that is very hard to answer! Early ‘enough’ in my career, a wise CIO I had the privilege of working with shared a piece of advice that has stayed with me ever since: 'Relationships matter more than titles.' 

“While titles certainly have their place, that simple statement fundamentally shaped my perspective on what it means to be an effective leader. It’s a lesson I often share with professionals starting their journey in cybersecurity. The most valuable advice I can offer is this: strive to be someone people genuinely want to work with.” 

Find Bernard Assaf on LinkedIn. Register now for Black Hat MEA and learn more from the leading minds in cybersecurity.