As security leaders navigate complex threats and regulations, many are adopting a new model to integrate security as a strategic business enabler.
Firudin Davudzada, Information Security Manager at Bamboo Card, explains how to transform the CISO from a technical blocker into a vital business partner.
This approach uses security champions and tailored training to build a shared security culture, vets new technologies with a problem-first mindset, and fosters talent through mentorship and community engagement.
In an AI-driven, highly regulated environment, the job description for the modern CISO is being rewritten. No longer just a technical gatekeeper, today’s security leader is expected to be a strategic business enabler. A new generation of threats, including nation-state attacks and vulnerabilities from cloud tools, paired with new cross-border regulations like GDPR and CCPA, means security leaders need to treat cyber resilience as a core company asset.
For Firudin Davudzada, the Information Security Manager at rewards fulfillment agency Bamboo Card and former Group CISO at cybersecurity firm Datricon Technologies, cybersecurity leadership is less about enforcing controls and more about enabling sustainable growth in regulated, high-risk environments. A certified CISO and CISSP, he sees the CISO's defining role as a human one: "Serving as a bridge between technical teams and the rest of the business is one of the most critical roles for a CISO," he says.
Talk business, not bytes: According to Davudzada, the job is to enable the organization to thrive safely in a competitive marketplace. He works to actively dismantle the "department of no" stereotype by weaving security principles directly into the workflow of the business, making it a seamless, shared objective. "You are responsible for translating cybersecurity risks into business terms that resonate with nontechnical stakeholders and directly support decision-making," he explains.
Custom-fit coaching: He understands that a one-size-fits-all approach to security awareness is ineffective. Instead, by aligning training with specific departmental functions, he ensures the relevance and impact of security education, fostering genuine engagement and ownership. "People are more likely to prioritize security when they understand how it supports their objectives. That’s why I spearhead training programs and simulations tailored to specific roles, like phishing simulations for business teams or data protection workshops for HR."
In practice, Davudzada utilizes a security champions program, which formalizes cross-departmental collaboration by identifying and empowering employees to act as security advocates. "Security champions are trusted representatives embedded within business units, acting as localized risk owners and cultural amplifiers for security. They bridge the gap between security objectives and the day-to-day operations of their own teams," he says.
It's a model built on positive reinforcement, not restriction. For him, this positive approach is what builds lasting security maturity. "The key to sustaining the program is to consistently support and recognize these champions. Creating incentives, such as internal awards, recognition from the CEO, or support for their professional development, motivates them and signals that the organization values their efforts," he advises.
A place for everything: He is putting this theory into action in the high-risk gift card industry, where fraud, abuse, and regulatory scrutiny are persistent challenges. He's established a program where individuals receive tailored training on key topics like industry-specific compliance and phishing, while development teams focus on secure coding. "A high-performing security organization hinges on clarity. It begins with structuring specialized sub-teams for core functions like incident response and threat intelligence, so each domain gets focused attention without overlap," he outlines.
Problem before product: That same business-first mindset guides how Davudzada evaluates new technologies, particularly in the face of intense AI hype. He uses a deliberate, problem-first approach that keeps technology a tool that serves clear business objectives. His approach starts with identifying the organizational need or a specific problem a technology aims to solve. He then collaborates with functional teams to document the requirements before engaging with any vendor demos. "To manage the hype factor, I rely on feedback from my peers in industry forums and on independent benchmarking."
Trust but verify: His rigorous due diligence process minimizes risk and ensures that any new solution not only meets technical requirements but also aligns with the organization's security posture and compliance obligations, fostering trust in adopted technologies. "I emphasize due diligence through a vendor security assessment. The process involves assessing each vendor’s security posture, reputation, and third-party audits so that any solution we consider is thoroughly vetted," he says. "This is particularly critical for AI-enabled platforms, where opaque data handling, model training practices, and third-party dependencies introduce non-obvious risk."
Davudzada sees a CISO's responsibility as something that extends beyond the walls of their own organization. His commitment is two-fold: developing the next generation of talent internally while contributing to the collective resilience of the industry by staying active in professional communities. "Internally, I prioritize mentorship by creating personalized skill development plans and offering my team exposure to strategic initiatives," he concludes. "Externally, I engage with peers at CISO events and meetups to share knowledge and collaborate on best practices, which contributes to our mutual growth. It reflects my commitment to both developing talent within the organization and the advancement of the information security landscape as a whole."
