Dimitris Georgiou has been a self-professed computer geek since the early 80s. At university, he studied the convergence of educational technology with computer science as part of his psychology MA – finding, to his disbelief, that systems were perilously insecure. 

Since then, he’s always worked in and around cybersecurity. He’s had roles as a computer science teacher, a technology manager, and a cybersecurity consultant, before finally landing in his current role: Chief Security Officer at Alphabit Cybersecurity, member of the Softweb Adaptive I.T. Solutions Group of Companies. But he’s never forgotten about his humanities background.

In this edition of CISO Spotlight, Dimitris explores the importance of CISOs speaking both technical and business language, his concerns around AI and API security, and the CISO’s role in the boardroom. 

For Dimitris, the human factor is the pinnacle of everything cybersecurity professionals do. “Cybersecurity is not just a tradecraft,” he said, “it’s more than that. It has a human impact. Everything we do is to keep our resources out of the hands of cybercriminals. And digital transformation has resulted in the greatest transfer of resources in history.”

Dimitris argues that security awareness only works when it starts with people’s real lives, not just corporate policy. Teaching employees how to protect their children, savings, or elderly relatives creates a mindset that naturally carries back into the workplace. 

“If you start with the business, it doesn’t land,” he explained. “But if people see how cybersecurity protects them, you create that all-important human firewall.”

Early in his career, Dimitris’s primary challenge was simply convincing organizations to invest in even the most basic cybersecurity. “Back then” he recalls, “you had to convince people to spend twenty or thirty dollars per user – and even to stop using cracked versions of antivirus.”

That experience shaped how he thinks about security leadership today. Rather than trying to scare executives into action, he focuses on aligning cybersecurity with growth and resilience. The CISO, he insists, must operate fluently in both technical and business worlds.

“We must translate security imperatives into business continuity and business flourishing mandates. From there, we must create a dogma within the business establishment – not the security establishment – that cybersecurity can and will be a business enabler if you treat it as such.” 

Dimitris’s mindset reflects a broader change across modern security leadership. Time and time again in this series, we’ve seen leaders drive home one simple truth: CISOs can no longer just be enforcers, they must be enablers that bridge technical risk with business outcomes. 

This shift towards business-focused CISOs influences how Dimitris thinks about the boardroom. Over the next few years, he expects CISOs to become routine participants in executive decision-making, sitting alongside CFOs and CEOs to discuss risk ownership, resilience, and operational continuity. 

“Cybersecurity is just one risk among many. Boards have to consider financial risk, operational risk, market risk, employee churn, effectiveness – everything,” he said. 

CISOs must frame cybersecurity within that narrative, convincing the board to align strategic goals with cybersecurity for resilience, operational effectiveness, and development across the organization.

Achieving this requires a rare combination of skills. Technical expertise still matters – Dimitris stresses that leaders should understand the pain and complexity security teams face – but CISOs don’t necessarily need to be the most technically brilliant person in the room. Soft skills like communication and narrative-building are just as important.

“Organizations don’t exist to be secure,” says Dimitris, “they have a mission. The CISO’s job is to help them achieve that mission safely.” 

Preparation for incidents, Dimitris argues, starts with awareness. Breaches will happen. Perfection isn’t the goal, readiness is. That means building teams that can respond without panic and leaders understanding what resilience really means. 

But Dimitris is quick to emphasize the emotional toll breaches can take. Morale often collapses after an incident, especially when security teams are underfunded or unsupported beforehand. In those moments, governance and executive involvement become essential. “You can’t just throw security at a problem and expect miracles,” he said. 

From past incidents, he’s learned that many disasters result from poor budget decisions – purchasing cheap, ineffective controls when the cost of more expensive tools pales in comparison to what an incident can cost in reputation, damages, and morale. 

Although Dimitris recognizes the productivity gains AI brings, he worries about the lack of transparency and governance surrounding its use and its impact on organizations’ security posture. “We’re engaging with black boxes doing magical and fantastic things,” he said. “But we don’t understand their inner workings.”

Putting on his “digital forensic investigator hat,” Dimitris argues that it would be very difficult to investigate an incident involving an AI model. One can’t just plug an interface into a model and collect the data necessary for an investigation. And that’s a problem at the moment. 

For Dimitris, we need to have a serious conversation about governance. Organizations are too focused on outcomes and overlook factors like digital sovereignty. He’s not at all anti-innovation, but he calls for a “marriage of innovation and governance.”

If AI is the big conversation, API security is the immediate battlefield. Dimitris believes that APIs will dominate security agendas going forward. But it’s going to be a challenge.

“Everybody is creating sockets for everybody to connect,” he said, pointing to the explosion of integrations and automated workflows across modern software ecosystems.

APIs, he argues, are fundamentally different from traditional web applications. Treating them the same – assuming a web application firewall (WAF) alone is sufficient, for example – is a dangerous misconception. APIs often operate with high-privilege machine accounts, meaning a single weakness can grant attackers deep access to systems. 

His advice starts with fundamental: threat modeling, secure coding, segmentation of privileged system accounts, continuous monitoring, and relentless assessment. In his words, we can’t simply bolt API security on; we must build it into the API itself from the beginning. 

Despite tackling complex technical issues, Dimitris always returns to one idea: cybersecurity is about people. Whether discussing AI, governance, or executive strategy, his focus remains on the human impact. 

Outside work, he’s sharpening his management skills through Harvard Business Review lessons, listening to lounge music to unwind, and following financial and cybersecurity podcasts to stay informed.

If he had the time, he’d head to Japan – he's drawn to the balance between deep cultural roots and relentless technological innovation. That same curiosity defines his approach to security leadership. 

And to reiterate: for Dimitris, the modern CISO is more than a technical guardian. The role is about translating risk into business language, aligning people and technology, and helping organizations move forward with confidence.