CISO Insider S1E4 - Change management and risk triage with Lisa Hawke

January 21, 2021
On this page

At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.         

We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.      

Everlaw VP of Security and Compliance Lisa Hawke joins us to share her insights on the hidden skills necessary to succeed as an infosec leader and her journey from working in environmental law to security and compliance. Also, get some birding recommendations in Central Park. Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at support@nightfall.ai.

Chris Martinez: I'm Chris Martinez. Today on CISO Insider Lisa Hawke from Everlaw joins us to talk about her journey from working in environmental law, to security and compliance, the hidden skills necessary to succeed as an InfoSec leader and a lot more. Please join us in welcoming Lisa to CISO Insider.  

Chris Martinez: Thanks so much Lisa, for sitting down and talking with us, we really appreciate it. You have a very distinguished career in environmental law and compliance. What attracted you to the B2B SaaS space after going through that career path?

Lisa Hawke: I studied environmental science. That was my undergrad degree, and I worked as a bench chemist briefly after college before going to law school. I got into the compliance space through the legal angle. When I got out of law school, I worked as a fellow for the Center for International Environmental Law, an environmental NGO before going into the regulatory world in the energy business. I started off in regulatory compliance with two different energy companies, mainly in the energy commodities trading space, which is quite technical from a compliance standpoint, and very driven by various state and federal regulations.

Lisa Hawke: I was in the energy business for almost a decade. I decided to leave after a long stint of living in the Houston, Texas area. I'm originally from the East coast. Although I loved living in Houston and I was there for almost a decade, I eventually decided that I wanted to move closer to family. I jumped out of the energy business into B2B software, mainly because the company that I work for now was looking for somebody with experience building policy, compliance and risk management programs. Now I lead the security and compliance team at Everlaw.      

Chris Martinez: How did you get started with writing for publications like TechCrunch and Above The Law?

Lisa Hawke: I personally really enjoy writing. Some of the opportunities like TechCrunch and Above The Law have come through my company Everlaw's press team and their relationships with those outlets, and from what the outlet might be interested in publishing. But some of the other writing I've done has been more self-driven through my own relationships. I've done some writing for Bloomberg Law, as well as The Compliance and Ethics magazine run by the Society of Corporate Compliance and Ethics. And my own blog.

Lisa Hawke: I think when it comes to writing and who you write for, a lot of it comes down to what you're personally comfortable with. I like to focus on knowledge sharing, what I've learned, or points of view on a specific thing that has happened in the news. I try to do my best to stay away from anything that could be read as a sales pitch. For folks interested in writing for different outlets, I would recommend sticking to what you've learned and your points of view.      

Chris Martinez: How do you balance all of that along with your other commitments, like being a board member of some pretty prestigious organizations in the Bay Area?

Lisa Hawke: How does anyone balance anything? That's a good question though. I'm currently serving as Vice Chair and a board member of Women in Security and Privacy. We have affiliated groups in several different locations, including Washington DC, New York, and Dublin, Ireland. Between that and my work at Everlaw and other things like writing, it's really hard.   

Lisa Hawke: Everyone probably talks about this, but especially in the COVID-19 world where everyone's at home, it's easy to be working on something all the time, even if it's not your full-time job. It can be tough to balance, but I try to stay focused on the things that keep me interested. And even though it is additional work, I try not to think of it that way. I don't think I have any great advice for balancing a lot of commitments. There's no secret sauce there. It takes time.      

Chris Martinez: You've handled recovering and guiding operations for major disasters before. First in your work at BP, leading the compliance response to the Deepwater Horizon catastrophe, and now you're doing the same with COVID-19. Can you share any lessons from the Deepwater Horizon incident that apply to today's uncertain landscape?

Lisa Hawke: I was part of the natural resource damage assessment team for Deepwater Horizon. But there were also 48,000 other people working on that response as well, so just want to note that. For me, what I learned during Deepwater and how I can apply that now, I think about complacency.   

Lisa Hawke: One of the big lessons for me coming out of Deepwater, especially when you're dealing with uncertain environments, is the importance of avoiding becoming complacent about anything. So in other words, you just have to constantly find ways to challenge your assumptions. When it comes to security, I think of how your company culture approaches security, all the way to your operations to what you're doing from a technical and operational standpoint. The reason I think about this is because when I was at BP, when Deepwater happened I was working in the commodity trading shop. The actual name of the business unit is North America Gas & Power.

Lisa Hawke: I was in a part of the business that was completely unrelated to drilling. We were on the side of the world that handles trading natural gas and power. That part of the business had just gone through an entire regulatory compliance and compliance culture transformation, because of a separate federal enforcement case that that part of the business had just gone through. When the Deepwater Horizon accident happened and the problems that led up to the accident all came to light, it felt pretty unbelievable to folks in my part of the business because we'd been working so hard for multiple years on changing the way the company approached compliance and thinking about safety.   

Lisa Hawke: It just showed me that you can never get complacent about things. It’s so  important to not let that creep in. Now I think with a security hat and compliance hat on, while making sure that we're not assuming that everything is running smoothly.      

Chris Martinez: Can you name some hidden or lesser known skills needed to get to and succeed in this role?

Lisa Hawke: To get to the role, I think is very different than succeeding in the role. I have to say that when it comes to getting to the role, my personal experience is pretty unique in that I was actually hired in my company, Everlaw, as a Director with a different title when the company was only 25 people. And my role has grown into what it is now. When I see job descriptions for other CISO roles, quite frankly, I'm not sure how they find anyone who ever meets all of those job qualifications and descriptions. Especially if you look at my background.   

Lisa Hawke: The other question though, to succeed in this role, from my perspective there's a few critical skills that I can share. One would be change management and risk triaging in the context of your specific business and operations. This is especially true in a startup. As a security leader, you won't be able to address every single thing and you're going to have to choose what is most important in your business to address and what's most important to your customers and regulators.      

Chris Martinez: How is COVID-19 reshaping the CISO’s duties and roles in everyday work and long-term security considerations?

Lisa Hawke: I think the thing that's on everybody's mind is working remotely and all of your team members that need to work remotely. If you were at a company that pre-COVID-19 was more based in the office, you had to make that transition pretty quickly. I think, just broadly, the transition to remote working and all of the impacts that COVID-19 is having on businesses both from remote work, but also from a long-term planning perspective, it's an opportunity for security leaders to step up to the plate and help lead the organization through uncertain or tough times. Especially at smaller companies where there might not already be a role dedicated to business continuity.

Lisa Hawke: If you think of the impacts coming out of the pandemic, they relate to security and privacy. How can you operate your company securely with a remote workforce? How do you stand up those capabilities? How do you execute on return to work? If we can even think about all that quite yet. As well as protecting all of your employees' privacy during this period where you may need to be collecting data from them that you never would have thought to before. I think if you're a security leader that's already been thinking about things like contingency planning and disaster recovery in the context of security, you can use those skills and help the business think through these other bigger COVID issues.      

Chris Martinez: What's the biggest change needed in the InfoSec community to attract and hire more women and people of color in the industry?

Lisa Hawke: This is a great question. I personally don't think that attracting underrepresented folks is the problem. I think that there are tons of talented people who want to and are in the field already. The problem I see more relates to the gatekeeping thing. Whether that's in the form of unreasonable job descriptions, extremely expensive training and certifications, or lack of actual entry-level roles or biased hiring practices.      

Chris Martinez: In your opinion, what could we as InfoSec professionals do to break down some of those barriers?

Lisa Hawke: I think there's several things. Some of the more recent initiatives I've seen that are worth highlighting are the Share the Mic and cyber campaign on Twitter. That's something that some folks in the Women in Security and Privacy (WISP) community participated in. WISP worked with the organizers of that campaign to set up a fundraiser to cover the training and certification expenses of all of the Black security and privacy practitioners who participated in that event. We have a fund that, last I checked, raised around $16,000 to help support the advancement of those folks in the security and privacy field for their certification and training goals.  

Lisa Hawke: We need specific and discrete efforts to support folks and get over these barriers and gatekeeping activity. I have two trains of thought when it comes to certifications. In some cases, I think that they can be extremely valuable for folks to advance their careers, but it's very frustrating to see how expensive they can be, especially for some of the well-known certifications. I think that as an industry, if companies are going to require those types of certifications to interview candidates for roles, especially entry level roles, then we have to do better as a community to make sure that folks are able to actually pursue those.      

Chris Martinez: Where are some of the largest blind spots in the industry and how can InfoSec leaders better approach these problems?

Lisa Hawke: That's a great question. I think the specific blind spots probably depend on a company's industry or their specific threat model. When I think of potential blind spots in security, they're more likely to be a discrete issue. But broadly, it would be company culture in general. I think culture can be a huge blind spot when building a security program. We hear a lot about security awareness and there's some great programs and resources out there. But awareness only works when you have a culture that supports things like incident reporting without fear of reprisal, and asking for help.   

Lisa Hawke: Practically speaking, the security team can't be involved in every single workflow or process at your company that other teams are dealing with that has security implications. For example, handling customer data. You really need to have a culture where folks on the other teams are proactively coming to you on the security team. That just all comes down to company culture.      

Chris Martinez: What are the most difficult challenges InfoSec teams face with compliance like GDPR or CCPA?

Lisa Hawke: On the privacy and data protection side, I think the biggest challenge is just dealing with different data types and usage issues. Or use cases across the company. Privacy and data protection goes so far beyond just production data if you're a B2B SaaS company. The definition of personal data, particularly under GDPR, is just so broad and it's going to touch every team, not just your engineering team. And it requires a ton of change management to address the actual requirements and best practices for privacy and data protection, but especially for the teams that are just not used to dealing with regulated data.      

Chris Martinez: What are the biggest challenges that CISOs face today?

Lisa Hawke: Related to an earlier question, there's no secret sauce to getting more hours in the day. Just being able to stay on top of the issue of the day that's cropping up, supporting your team and other teams. And then also generally trying to chart a course for your company that keeps your business secure, but also enables growth.      

Chris Martinez: As a CISO, what makes you get out of bed or wakes you up in the morning every day?

Lisa Hawke: I like to get up and go birding in the morning. I'm based on the East coast now, and getting away from the screens and being outside in the morning motivates me to get back to my screen and get work done.      

Chris Martinez: Can I ask where you like to go birding?

Lisa Hawke: Right now I'm in New York City. So most mornings I'm over in Central Park, which was really exciting in May during the spring migration. Things have slowed down a bit in summertime, but there've been a lot of hatchlings, so it's been fun.      

Chris Martinez: How much do certifications really matter when you're trying to climb the ladder and how can InfoSec practitioners make the most out of them?

Lisa Hawke: This is a really good question. And I hope it's something that the industry, especially on the hiring side, starts to really dive into. Because when it comes to certifications and whether they help you advance in your role once you're already in a role, I think it’s very dependent on what your role is. For example, if you're in a role where incident response is your primary responsibility, then maybe a certification is not really going to help you advance there. Maybe it is more along the lines of getting the on the ground experience, triaging in your company, and getting a demonstrated track record of being able to respond and escalate things as appropriate.

Lisa Hawke: In my mind, it comes down to the role. I think what I see is that, when you look at a lot of job descriptions, if they have any type of security in the title, whether it's Security Engineer or security governance, risk, and compliance (GRC), or Security Awareness and Culture, things that are totally different in a day-to-day role perspective, a lot of times they just will list out the common security certifications. Which I really don't think necessarily are that applicable for that role.

Lisa Hawke: I think certifications first can be important, but it really depends on the role. Going back to what I was saying before, I really hate to see when certifications are used as a gatekeeping mechanism for candidates, especially for entry-level roles. I think that the industry really needs to take a look at what our expectations are for an entry-level role and the expectations of the person in this role over the first three, six, nine, and 12 months. And why are we mentioning a certification? Is it really critical? And maybe it is for a specific role. I just think that across the board, they're just overused in job descriptions.      

Chris Martinez: What's the biggest lesson you've learned along the way that you wish you knew earlier in your career?

Lisa Hawke: The one that comes to mind is that it's a marathon, not a sprint. We're all going to be working for a long time, depending how old we are. Earlier in my career, I think I was more prone to burning myself out. Now I try to spend a lot of time thinking about priorities. Like I was saying earlier, I've learned to triage and focus on what's important. That can be hard, especially if you're somebody who loves being on the execution side, like me. It can be tough to put the brakes on sometimes. But remembering that it's a marathon, not a sprint is helpful.      

Chris Martinez: What are you most proud of as an InfoSec executive?

Lisa Hawke: I'm really proud of the culture of security that we have at Everlaw. We're so busy on my team because all of the other teams are constantly asking us for help or for feedback or for input on a process or a feature. It's a lot of work, but it's something that we've worked really hard to cultivate and perpetuate. I'm proud of the state of the security culture as we have it now.  

Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry's first cloud native data loss prevention solution. If you're enjoying the show, please leave us a review and rating on Apple podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn, and Instagram at NightfallAI. That's Nightfall A-I and email us marketing@nightfall.ai with questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you'd like to hear from. Stay safe out there and we'll see you again next time.      

About Nightfall

Nightfall is the industry’s first cloud-native DLP platform that discovers, classifies, and protects data via machine learning. Nightfall is designed to work with popular SaaS applications like Slack & GitHub as well as IaaS platforms like AWS. You can schedule a demo with us below to see the Nightfall platform in action.