Lefteris Tzelepis, CISO at Steelmet /Viohalco Companies, was shaped by cybersecurity.

From his early exposure to real-world attacks at the Greek Ministry of Defense to building and leading security programs inside complex enterprises, his career mirrors the evolution of the CISO role itself. Now a group CISO overseeing security across multiple organizations, Lefteris brings a practitioner’s mindset to leadership and incident response.

In this spotlight, he shares how military-grade security thinking influenced his approach, why people management is the hardest part of the job, and what it really takes for security to support the business.

From the Barracks to the Boardroom: Lefteris’ Cybersecurity Journey

Lefteris says that he never really started in cybersecurity; he was raised by it. As a young man on his military service duty, Lefteris found himself at the Greek Ministry of Defense. While there, he spent 11 months alongside a team of security specialists.

“That’s where I first learned about security,” he said. “I learned how to configure Linux and OpenBSD firewalls, even before understanding routing. Seeing attacks on the ministry's websites was fascinating, and that started everything.”

According to Lefteris, this was his first introduction to what was later named as security-by-design principles.

“These guys weren’t trying to conquer every hacker,” he said. “They were trying to block all the possible ways that someone could find to attack the ministry. I found that fascinating.”

After his military service, Lefteris started his career as a computer and network engineer, but remained drawn to the security aspects of his work. During this time, he gained valuable experience managing customers and projects at various service provider companies.

The real shift in his career, however, came when he joined the Greek National Lottery.

“When I joined in 2014, the security officer left shortly after, creating a vacancy,” he said. “As a Network Security Engineer, I stepped up to lead the IT Security efforts, essentially establishing the role. Suddenly, I found myself project managing and leading internal and client engineering teams.”

Today, Lefteris holds a group CISO position, overseeing security for a large number of companies in the industrial sector. But as he worked his way up the corporate ladder, he learned a thing or two about what it means to be a good leader.

Tough Roles Require Soft Skills: People Management and the CISO

According to Lefteris, people management has been the biggest challenge of his career. As he moved up towards the CISO position, his focus crept away from technical expertise and towards soft skills.

“A speaker at a webinar I attended once said that moving up the security ladder into management means losing technical depth. That annoyed me a little,” he said. “But I realized it's true: your primary focus does shift to managing people. If you are an Information Security Manager, you are first a manager, then an information security professional. "

The hardest part for Lefteris was finding that he couldn’t just “attend a seminar” to gain these skills. You need to learn on the job.

"To evolve successfully, you must constantly observe your surroundings, paying close attention to people's mindsets, their capacity and willingness to listen, and their comprehension during good times and bad. I haven't found the magic recipe for this; it's an ongoing process,” he said.

Ultimately, Lefteris wants to inspire and empower his team as a leader, not just a boss.

"Being a boss is totally different from being a leader. When I look in the mirror, I want to be a leader - I want my people to work with me because they believe in the objective, not just because I asked,” he said.

The Evolving Role of the CISO

For Lefteris, there are three types of CISO: the operational, the tactical, and the strategic.

"While every organization is different, climbing the ladder in the CISO domain demands two things: you must become strategic, and you must remain closely connected to the business,” he said.

He argues security fundamentally exists to support the wider business. That means CISOs must know where the business is going, and tailor their program to support that path.

"While we've often discussed finding the balance between business and security,” he said. “I now argue that we must actively support the business. This is the only way to achieve a win-win scenario."

Lefteris also carefully observes trends foreseeing IT functions reporting directly to the CISO.

"I've seen a trend and read studies where the IT function is moving under the CISO role," he explained. "This happens because these organizations recognize the importance of cybersecurity hygiene, and a major function of IT is to serve those security requirements."

However, Lefteris expressed concerns about this model, noting that it might not be sustainable in the long term. "I'm not sure I believe in that," he said. "Because it means putting more concerns under the CISO umbrella. And there's already too much under that.”

As the CISO role continues to evolve, Lefteris underscores the importance of carefully considering the scope and structure of the role. He wants to ensure that CISOs are not overburdened with responsibilities that detract from their core mandate: security.

Efficient Incident Response = Strong Security

Lefteris argues that cultivating a security team capable of responding to security incidents is one of the most crucial tasks for a modern CISO. For him, the Incident Response Leader is the focus of all incident response efforts.

"When an incident occurs, you need an Incident Response Leader who takes charge. Everyone must stop and gather around them to receive a list of action items. Even if it's a known playbook, the Leader must be in command," he said.

Security teams, for Lefteris, must be prepared for reflex reaction during a security incident. Rather than relying on ad-hoc responses, he advocated for establishing clear, well-rehearsed playbooks that the team can execute almost without thinking.

According to Lefteris, all incidents must be treated with “zero tolerance for process bypass.” That builds the muscle memory and automated reflexes needed for critical events.

Visibility and Secure Coding Define API Security

As AI is used more and more even in Operational Technology (OT) settings, since businesses cannot afford to delay AI adoption, APIs have become the machine-to-machine backbone of modern infrastructure. A single misconfiguration can bring down an entire system.

Therefore, visibility and discovery are where everything starts.

"You cannot protect what you don't know," he stated. “No attacker will knock on your front door, they’ll go straight for the APIs.So, the number one challenge is to know your factory, know your plant, know your business, know your organization. You must understand how many APIs you have and what data they handle. You need to know everything if you want to do security effectively."

Lefteris also emphasized the importance of robust API security practices, including secure coding.

"Secure coding is crucial," he said. "This involves training developers, evaluating their work using tools like SAST and DAST, conducting secure code audits, and maintaining a robust launch process with regular assessments."

However, Lefteris recognized that even with these measures in place, gaps can persist. But he urged organizations not to simply "destroy everything and build it all over again." Instead, he advocated for a more measured approach. “Conduct pre-production security assessments to identify what needs modification rather than destroying everything and building from the ground up later on.”

Even CISOs Need a Break from Technology

Lefteris closed by outlining his dream vacation. He wasn’t fussy; he merely wanted to be somewhere without cell phone reception or technology, but with his family.

Want to find out how Wallarm’s platform aligns with Lefteris’ view of API security? Take a product tour today.