At Nightfall, we believe in the power of learning from those who have done it before. That’s why we created CISO Insider — a podcast interview series that features CISOs and security executives with a broad set of backgrounds, from hyper-growth startups to established enterprises. Through these interviews, we’ll learn how industry experts overcame obstacles, navigated their infosec careers, and created an impact in their organizations.
We’re sharing the unique opportunity to learn how to further your security expertise, hear best practices from thought leaders, and learn what to expect when pursuing a career path in the security industry. For CISOs and executives, it’s an opportunity to share learnings and provide mentorship at scale. Security professionals will get a unique lens into the security landscape, uncovering career-accelerating insights.
Lisa Hall joins CISO Insider to discuss diversity in the infosec industry beyond hiring to meet DEI quotas. It starts with diversity in thought and background among her staff, which leads to greater diversity in the work they do at PagerDuty and eventually throughout the industry. Please note that we did this interview with Lisa when she was still in her role at PagerDuty — she’s moved on to Color as their CISO as of this writing.
Click on the player below to listen to the chat, or follow along with the transcript in this post. For questions, feedback, and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from, please email us at email@example.com.
Chris Martinez: I'm Chris Martinez. Today on CISO Insider, I'm joined by Lisa Hall, PagerDuty's head of information security. We discuss what diversity in the infosec industry really looks like: not just hiring to meet DEI quotas, but fostering differences to build strengths across the board. Diversity in thought and background among her staff is a major goal for team building and it leads to greater diversity in the work they do at PagerDuty. Other ideas we chat about today include why leaders should make and maintain connections within the industry, and turning the restrictions of COVID into a positive with recruiting wins, like the ability to expand hiring to a greater pool of candidates and optimize for remote work. Please join me in welcoming Lisa to CISO Insider.
Chris Martinez: I'm here today with Lisa Hall from PagerDuty. Lisa, thank you so much for joining us on CISO Insider.
Lisa Hall: Thanks for having me.
Chris Martinez: How does governance, risk, and compliance (GRC) play a role in your work as an infosec leader?
Lisa Hall: I think when it comes to GRC I generally think of it as a functional area of a holistic security program. It's just like one more leg of a security program, and it's different for each company. At PagerDuty, I usually describe compliance in that world as more of a lever that we can use to get things done. We have a compliance program, we have application or product security, and operational or infrastructure security as our three tiers. And they each play a different role in a holistic security program. Sometimes GRC and compliance can be something that a customer is driving. Customers demand as we need this compliance thing to prove that PagerDuty can pass you as a vendor. Sometimes we use it just for customer confidence, and industry confidence overall. Like someone else is checking us besides ourselves, which is always good.
Lisa Hall: I also think, from my perspective, it gives you a view of your entire program in places you might not look. Application security is very specific to working with developers and designing secure code, and enabling and scanning too. The GRC component generally gets you to look at everything, like different domains. If you don't have a focus area, you can at least put eyes on it and say, "We should look at BCP. Or I didn't think about physical security because I'm in the cloud. Maybe I should see if I'm a bit mature on this level." That's generally how I look at it. It's just another player in the overall security game.
Chris Martinez: One of the core competencies of PagerDuty is incident response. How do your response principles and practices for customers reflect in your internal incident response philosophy, or operations?
Lisa Hall: Good question. That's kind of what we do at PagerDuty. It actually helps the security team and me, as a security leader, to have those two things closely aligned. Our security incident response is different from our PagerDuty incident response, but also again very closely aligned. It helps that internally employees at PagerDuty understand what incident response is as a concept. It makes the importance of incident response not just a security concept.
Lisa Hall: I think it emphasizes the importance of security education across the company because we have incident commander training, for example, for anyone who's on call at PagerDut. Our people outside of security even go through training for this. On our website, we have amazing documentation around this, and the security team can leverage it as well. We have some nuances with security, like privacy and some things you don't want to pull everybody into. But we follow a lot of similar practices, like performing postmortems. And it really does help that concept is a very digestible idea across the company. It really brings home that when security is part of the company culture, it helps overall.
Chris Martinez: How do you strike a balance between fostering innovation, and building community based solutions with strict compliance and security requirements?
Lisa Hall: It feels like there's more regulation every day. It feels like you’re thinking you can spend your time building something cool, but now security is the blocker. But we definitely don't look at it that way.
Lisa Hall: I think you pretty much said it: building with innovation, security, and development, to me, is a creative industry. And so, by having requirements it just means we have to be creative, and think about how we can build something right the first time. It doesn't mean we can't go fast. It doesn't mean we can't be innovative. In fact, it means we should be even more innovative, and think about the choices we're making, and be mindful of those choices when we're developing software or solutions. We're really looking at kind of like the risk assessment of that, and the impact, and having a security mindset from the beginning, as opposed to trying to fix things later.
Lisa Hall: It actually will make us more competitive and more innovative. We will be solving problems for other companies as well, as an industry. We're probably not the only company that has notification services. And we're not the only company that has HIPAA or FedRAMP requirements. We can solve problems for our future selves and for the future of the community. So, I think instead of looking at it as more regulations and hoops to jump through and blockers, we instead think about things more creatively.
Chris Martinez: What does a security mindset look like for you in your everyday work at PagerDuty?
Lisa Hall: Part of how I imagine security is as a creative industry and a creative thought process. Technology in general is always changing. And I feel like most people, or at least the people that I'm surrounded with in security, are learners. We're interested in things. We're tinkerers. We want to figure out how things work. And part of that is this creativity on our team at PagerDuty. We have people with very diverse backgrounds. When I was going to school there was no security curriculum. You couldn't major in security. You took computer science. It's gone so much further now. Now we can be trained in a specific thing, and that's very much needed for certain aspects of the career, and the industry.
Lisa Hall: At the same time, we have somebody on my team who has an educational background. She worked in the education field for a really long time. I see how she leverages her communication skills, and how she's partnered with parents and teachers, and different stakeholders, and influenced them. I see that in her work today. I have another person on our team who came up through customer support, so they have a customer-focused mindset. This allows them to think about solving problems differently, or ask different questions. Maybe someone who's been coding for 10 years would say, "I just want to stick to what I know," people with different backgrounds and mindsets think about solving problems differently.
Lisa Hall: I think having that diversity in thought really helps and circles back to my point on being in a creative industry. Having that mindset of different inputs are great means we should look at different ways of thinking about things and adjust for that depending on what your company needs are, what your team needs, where you have gaps in talent, all of those things.
Chris Martinez: As we're coming out of the pandemic, what is the number one learning you and your team gained about infosec, and how are you looking to apply that learning going forward? [please note this episode was recorded at the end of summer 2021 before the omicron variant of COVID started spreading]
Lisa Hall: I think adaptability is the main thing I learned, which we did really well at PagerDuty. I considered myself pretty adaptable in life, in general. That is one of the biggest things we learned because things change quickly. Technology changes quickly and we have to be able to adjust for change, have empathy, and look at things from other people's perspectives and not just our own. We had to shift from thinking, “I'm having a bad day” to “How's my team doing? How's everyone feeling?” And I had to ask myself what I could do to be an empathetic leader and how I could adapt and adjust not just for myself, but for our processes internally.
Lisa Hall: We had to start asking what really matters: is it making sure we're checked in at 9:00 AM? Or is it, are we delivering something? Are we taking care of our emotional health? We took a good look at all of those things to shift how we think about our people. We have to be able to adjust our mindset to think, "That worked yesterday. Now it has changed. There's something else today."
Chris Martinez: In our previous conversations, you mentioned that your team is mostly women, which is amazing. Can you talk about how you built that team, and what you're doing to retain the essential people in these roles?
Lisa Hall: Security is a hot job market. There's lots of roles open. People generally want to work where they feel accepted and appreciated. At this point in our team, this pretty much speaks for itself. Yes, we are majority women. We are a very diverse team. One of my first jobs was working as an executive assistant for CISO and just seeing a woman CISO was so cool at that time. Now, we take to heart the idea that our people can come to work and see other people like them and work in a team that is diverse. They have people they can relate to.
Lisa Hall: I think part of that brings some genuine connections. We all are working a job probably because we have to work, but it's nice if you can work for a team and a company that you appreciate. Working for a manager that appreciates you and makes you feel valued, plus the feeling that you can contribute to some overall good or build cool things.
Lisa Hall: Also, having the ability to call out when you see something that doesn't look right. In recruiting especially. If you see a lot of candidates in the pipeline that look very similar, can your team speak frankly to that and ask what can we do to fix it?
Lisa Hall: I believe in being a very active participant in recruiting. We have an amazing recruiting team here at PagerDuty, but I feel like it's part of my job to participate. I've had much more success building my pipeline of peers. And security, we have a really good community despite some of the bad parts of it. In our tight-knit community, it’s important to build a pipeline and your networks. I don't think we put enough emphasis on how important those things are. I spend a good amount of time just making connections with people, or chatting like you and I are doing now. I think it's really great to meet other people in the industry that are interested in security.
Lisa Hall: If I'm recruiting for a role, I have much more success when I reach out to someone on LinkedIn if I say, "I'm part of the security team here and we're hiring. Here's the cool stuff we're doing. Seems like a match." Opposed to relying on cold calls from a recruiter. I don't even know if anybody checks LinkedIn inboxes anymore for that. It's a harder sell no matter how great your recruiting team is.
Lisa Hall: I think it is about being that face of the team you want to build, and putting yourself out there, and representing. And looking in unique places. Not having to go through traditional routes, or relying on old tactics like going just to one school to recruit from for interns. And of course, being open to people with different backgrounds. Not everyone has a CS degree in security.
Chris Martinez: How can we as infosec professionals support and maintain equitable and inclusive environments that provide more places at the table for people who want to work in this field?
Lisa Hall: I think part of it is building up that community and network. Another thing is calling out issues when you see them. If something doesn't feel right or isn't looking right, bring it up and try to fix it. I also believe in raising people up and providing opportunity for people. We have people in our company who've come into security from IT and customer support. We have somebody with an audit background. I already spoke about the person on our team with the education background who just got interested in security. Leveraging your ability to find diverse people by recognizing diversity in talent, that everybody has a unique skill set. That way, you ensure that your team doesn’t fall into the trap where everyone is the same. And we should pay attention to the awesome things that are different about ourselves.
Lisa Hall: And also, just understanding that everyone doesn't always want the same thing. Listen to your people and see what they're interested in. Some people really want to be managers, and some don’t. Understanding this will help you learn where you can leverage the talent on your team. We have someone on our team who's really interested in getting more technical, even though she's very technical. She thinks she’s in a non-technical role, but she's able to run our penetration testing and vulnerability scans. Find opportunities for your team to grow.
Lisa Hall: We're diverse in the work that we do too, even within our groups. We have compliance, product security, and infrastructure security. If someone's interested in something, we encourage them to go learn it. We want people to learn as much as they can. We do shadowing. And reverse shadowing. We're really big on mentorship. And also, creating an environment where it's okay to not know everything. It really helps to know that the people around you are all starting from different places and we all have different experiences. I don't know everything but, hopefully, I surround myself with smart people and learn every day.
Chris Martinez: We've seen in the news about how the pandemic has harmed women in the workplace. Has COVID played a role in how PagerDuty or your team manages DEI for success?
Lisa Hall: Overall, I think PagerDuty is pretty geographically diverse to begin with. One good thing that COVID opened up for us is making hiring more remote friendly. We were already doing that a bit before the pandemic, but it's opened up so much opportunity to hire people who aren't from traditional areas that we would hire from. We have offices in Toronto and San Francisco, and for a long time those two cities were our base for hiring. And now, we’ve opened up the opportunities to hire people who don't live in a big city, or don’t go to major conferences.
Lisa Hall: I also really appreciate that we're doing so much virtually now. If you couldn't afford to fly to conferences every year, there’s more conferences and events for data security you can attend virtually. You don't have to come to San Francisco. A lot of these conferences and networking events are either low fee or free for virtual events, which I think is great. It's definitely an upside of us all being trapped at home, and not being able to travel.
Lisa Hall: At PagerDuty, we've latched onto this great opportunity to expand where we're hiring, and give people more opportunities. Before, candidates from outside the area here would have to fly to San Francisco to interview with us. They’d have to get a hotel and make arrangements for care for their kids, or pets, or parents. But now, we can interview and work virtually without interrupting our lives. Work doesn't have to be all encompassing. We can fit it into our regular lives too.
Chris Martinez: When you define each pillar of DEI in your everyday work with your team, what do those words actually look like in practice?
Lisa Hall: Recognizing that each person is different. Knowing each person’s skill set, what they excel at, where they want to learn, and how to give them opportunities. Our team member with the background in customer support is a great example. We avoided a mindset of thinking their only skills were answering customer questions, and not adding value to the security team. We saw the opportunity to work even closer with customer support for secure disclosures, or something that doesn’t always come naturally to the security team. It was a great opportunity to leverage a new skill set in the role, and apply it to the internal security team. Part of diversity and inclusion is recognizing that everybody has different backgrounds and focus areas, and my job is to give them opportunities to learn and contribute to the team.
Chris Martinez: What does a diverse team actually look like at PagerDuty?
Lisa Hall: Diversity means so many things: being diverse in thought, in background, where you grew up are just a few things that contribute to a diverse team. Our team is majority women, which is not super common in security, but there's so many other ways to be diverse. In recruiting especially, being diverse means wanting to talk to more people who are different from your usual hires. I want to hear some other opinions. If we're talking about building something new, or making a change in the team, or even everyday projects we're working on, I want to hear different opinions. I want to be challenged. I want to know what people think.
Chris Martinez: Who gets the opportunities and chances for advancement in challenging projects?
Lisa Hall: We are a small enough team where there's always opportunity to take on new challenges. My attitude is, if someone is willing to learn a new thing, it’s theirs. Running pentests, performing a scan, compliance and SOC audits, are all available to anyone who wants to learn. Security is interesting because there's a lot of crossover. There are certain things that are very compliance-focused, or very application security-focused, but there is enough crossover in other areas where the team can benefit from learning different aspects of security. Even outside of our team, if someone's interested in security, I encourage them to find the thing they like. Experimenting with security to see what you like working with is a huge opportunity for growth. That means while we don’t always get to work on the shiny projects, there’s no siloing or gatekeeping or hoarding knowledge. That's not how we roll on this team. With us, there’s no single point of failure. Everyone can learn something.
Chris Martinez: How does inclusion factor into each role and the work the team is responsible for?
Lisa Hall: I think that does go back to transparency. Inclusion overall is including everyone in what we're doing. Breaking down silos. We try for a balance of senior engineers to junior engineers on our teams to foster mentoring and allowing our people to ask questions and learn from being wrong. By fostering inclusion, we build trust within the team. Transparency means seeing your coworkers as real people, and being a real person yourself. When we’re open with each other, we can ask better questions within the team and share what we're working on and learn from what others on the team are working on.
Chris Martinez: What's the biggest challenge you see ahead for achieving high levels of inclusion and equity in the SaaS space? We've made a lot of progress, but we still have a long way to go.
Lisa Hall: I think the biggest challenge is just getting people to do it. Making the right choices and putting in the effort takes time, especially from a hiring perspective. Putting in the actions towards responsibility and accountability is a huge effort. Our biggest hurdle is non-action on things. It's not easy to put yourself out there. Sometimes it can be scary to speak up when things don’t look right. But we must.
Chris Martinez: What's one piece of advice you'd give to yourself at the start of your career?
Lisa Hall: I would say, be kind to yourself. I think a lot of us are hard on ourselves in general. I had expectations that I should know everything, or I was being scrutinized because I'm the woman on the team. The idea that I didn’t know every single thing about security was terrifying. Sometimes you will get things wrong. You’re always learning in your career. Remember that there are influences outside of your control and it's okay to not be perfect all the time.
Chris Martinez: What are the top lessons you've learned from your team in the last year?
Lisa Hall: I love my team. I learn so much from them. One thing that stands out is the need to keep a sense of humor as much as possible. The past two years have been hard for everybody. Keeping a sense of humor sounds kind of dark during COVID, but that’s why we must find joy where we can. And sometimes it's in random places. The second lesson is empathy. My team has helped me just realize that adaptability is so important, especially in the last two years. It helps me remember that we work with humans, not robots.
Chris Martinez: What security oriented conferences and events are best for women, people of color, and LGBTQ+ people to attend?
Lisa Hall: Day of Shecurity is a good one. There’s the Diana Initiative, which happens during Black Hat. There's lots of groups too, like WISP: Women in Security and Privacy. DevColor is a Black engineering group that does amazing things. Those are my top recommendations.
Chris Martinez: Which podcast or books have you read lately that you can recommend to our listeners?
Lisa Hall: I've been listening to Security Weekly and Risky Biz. The last security book I read was the latest Tribe of Hackers, which is always good because it features different security practitioners speaking. You don’t get just one voice.
Chris Martinez: What motivates you to get out of bed every day as a security leader?
Lisa Hall: The first thing is definitely my people: my team and the company I work for. I'm very appreciative of where I work, and that has to do a lot with the people. As for the company, I want to make sure we're doing the right thing for our customers, and offering secure products and services. I am a part of PagerDuty, so I want to represent that.
Chris Martinez: Lisa, thank you again so much for joining us.
Lisa Hall: Thank you so much. I really appreciate you having me. It was great chatting.
Chris Martinez: Thanks for listening to CISO Insider, a podcast created and sponsored by Nightfall AI, the industry’s first cloud native data loss prevention solution. If you are enjoying this show, please leave us a review and rating on Apple Podcasts. The ratings and reviews help more people find us. Follow Nightfall on Twitter, Facebook, LinkedIn and Instagram at Nightfall AI. That’s Nightfall AI, and email us at firstname.lastname@example.org with questions, feedback and suggestions about CISO Insider, including suggestions for CISOs you’d like to hear from. Stay safe out there and we’ll see you again next time.
Next time on CISO Insider, we’re chatting with Bluecore CISO Brent Lassi