Lisa Hall

Lisa Hall: [00:00:00] Thanks for having me.

Ashish Rajan: Glad I could have you here. I think I’m really excited about the extraordinary journey that you’ve had because just to give you a theme so far last week I had a Zinet, she came in from a legal background into cybersecurity . Unknowingly, we have quite a theme going for people coming from a non cyber security background.

So, I’m really excited about you coming on the show, I feel I’ve known you for some time, but for people who may not know Lisa, tell us a bit about yourself and I guess then we can go into obviously what you currently do,

Lisa Hall: yes. My name is Lisa.I Head Up Security at PagerDuty. We are most well-known for on call notifications. If you’ve ever been on call, we’ve woken you up at night.

Yeah, but I head up the security team. So we are a team that covers product or application security, infrastructure, security, and compliance. That is my. Oh,

Ashish Rajan: nice. And I think the theme of the show is that you have an interesting background from when you started to where you kind of are today.

So executive assistant, I’m going to let you share the story. And so. What was it? Executive assistant to a CISO [00:01:00] all the way to head of security. I’m sure it didn’t happen one day, but it took a while. What was the kind of the transition that you had to kind of go through?

Why is cybersecurity is my first question?

Lisa Hall: That’s a good question. Cyber security is really interesting and it’s always changing and it just sparked my interest. So like, oh, this is something that you can like go different directions with and it’s dynamic and Yeah, that pretty much drove me to it.

I thought it was some cool stuff. I had always been interested in computers, so it like, well aligned with what I enjoyed doing in the past. Like in I’m I am gen X. So

I know we had a conversation about gen X music and we can maybe get to that, , later the podcast. But I love being gen X. But I was luckily exposed to computers fairly young and I really enjoyed figuring out how they worked. And that was part of what also, , made me excited about cybersecurity because I was like, oh, I’ve done this.

Like, I know this, this is the stuff I was doing for fun. And this is like a real job or with sort of a job in the nineties. Ish. Oh,

Ashish Rajan: that’s an interesting, so if you, you already had an interest cybersecurity [00:02:00] before. I mean, just didn’t know it was a job. Like it was something that you can get paid.

Lisa Hall: Yeah. I mean, mostly just in computers, like one of my first, previously to being a executive assistant was help desk for apple. I liked figuring out how to, like, I dunno, do walkthroughs for the games I was playing and figure out how to make sure the computer was working. And I was going to school for graphic design, which was a thing at the time that you could do in the nineties because not everybody has.

Photoshop. Nobody had the G4 yet. And they were just like, oh, what’s this Mac thing happening over there. So yeah. Yes. So it was just that kind of, I think drew me more to cybersecurity because it was about computers. And then yeah, I was working for apple as help desk, like tier one, literally telling people to plug their computers back in so they could work again.

And yeah, I ended up at the executive assistant role eventually.

Ashish Rajan: And so what, what was the biggest hurdle? Cause I imagine, so you definitely had a bit of a technical, I guess, inclination for lack of a better word, you just learn it yourself and you had your first job there, but I don’t imagine that leads you to cybersecurity.

Oh, it wasn’t, that, that makes it easy to turn from an [00:03:00] EA into cybersecurity role? So what’s the biggest hurdle that you came across when transitioning from say from the moment you decided actually great job as an EA , but I think I want to do a full-time job in cybersecurity

what was the biggest hurdle? The

Lisa Hall: biggest hurdle was probably. Being my best advocate. Like I think I’m still not great at doing that where I like just saying, okay, I can do this in saying that for myself. I always, it was kind of in the camp of like, well, if I do a good enough job, it’ll speak for itself.

Clearly, like I’ll be promoted because what else is it going to do? I’m great. So like, that was part of it of saying, being able to like speak up and say, I really like this, this is the thing I want to do, and I’m good at it. And being able to say, I’m good at this without waiting for other people to say, you’re good at it.

You should go do this. And I did report to the CISO so I reported to I was just doing EA jobs. I was doing executive assistant. My degree is in business, business administration, not technical, but when I was in school, you could only go for like computer science. This was not like security was not a thing.

You could be like, I could be a computer science major and that’s pretty much it. Again, gen X.

Ashish Rajan: Yeah. I know. It’s like now [00:04:00] it’s sexy to have like a degree in cybersecurity, but it was never a thing.

Lisa Hall: Yeah. And it felt like so contained where it’s like it was broad then, but it was just, , it felt, yeah.

I felt like I could figure that out.

Ashish Rajan: So as to, did you start doing I guess I guess while you were at EA you started incorporating some of the other parts of the job as well. So that’s how you.

Lisa Hall: Yeah, definitely. I think when I initially interviewed, I was at EA at CoreLogic, I was living in Dallas at the time.

And, and yeah, I interviewed for the executive assistant role and once it was just like a perfect match, it’s like, oh, you also know about computers. You like computers where you should definitely be the, the EA to the CISO and I just was, I knew I liked it. I was like, this is my jam. This is where I should be.

I was lucky because I could just basically do everything she did. Like, I followed her around, I attended board meetings, I toured data centers. I was like, what are you doing? I’m going to do it too. Like, show me, show me, show me. And it was really great. , she was open to it and I learned a lot.

And then kind of, I did the traditional route where one of the routes of a then I went to security analyst and security [00:05:00] manager. Then I went to TPM, like a technical program manager and then to senior manager and then to the role I’m at now. So I kind of took like the analyst role to management route, as opposed to like analysts to IC to CISO route.

Ashish Rajan: Yeah, I’m sure. And I think that too, what you said is very interesting because I imagine for the security analyst job as well, it would have been a lot more easier conversation for you to kind of talk about things you were already doing in your work at that point as an EA, because I guess did tour of a data center.

I don’t know how many people have actually done that in today’s generation. I guess it’s like, it’s not even a thing anymore with AWS. You don’t even know where the data is.

Lisa Hall: No. Yeah, that is true. I am lucky. Except when they were talking about fire suppression I just, I have this memory of that. Like someone who was, was touring with us the very first time I went to a data center or like, and then there’s fire suppression.

So, , like two seconds here, all the air is going to be sucked out. Oxygen will be sucked out of this room. I don’t know what the time I was like, yeah, this is going to be great. I’m going to be looking

Ashish Rajan: at, so when do we leave again? Yeah. Yeah. Yeah. I think we should definitely be leaving any moment now because I’ve [00:06:00] seen movies where the things go bad, so,

oh no. And I think it’s really interesting because you obviously did not really think that cyber security was going to be a job for something that you wanted to do. And you’re kind of approach it from a perspective that. I like this. I want to absorb as much as I can about this job in my, I guess what you’re already doing it in your current job, but then you kind of took that part.

I’ve got a question here. I’m not sure if you want to answer it, but how you would think. Well, what are your thoughts on SOC as a moving is security operation.

Lisa Hall: Yeah. Which one? SOC like, as in SOC two, as

Ashish Rajan: in a complaint and it says more of a SOC job, I think, as in the working at a security operate, like a response

Lisa Hall: person.

Yeah. Just like the movies. Like when I think of SOC this is, I mean, so yeah. I imagine like this room, like there’s all these monitors and we’re like, look at that chart, do a thing. Yes. I think SOC is important. I think a lot of the companies that I’ve been a part of, at least in the. 10 years, I should have been more startup E based or like we definitely can’t have a SOC , like a full SOC team, at least where we’re doing SOC [00:07:00] things where we’re monitoring, we’re alerting, we’re using PagerDuty, like wake you up.

But yeah, I think there’s a certain point in a company where you’re like big enough and mature enough to have a proper size. Yeah. But ultimately it’s the same thing. It’s a good, you have to have it to some degree.

Ashish Rajan: So thanks for that question. And hopefully the answers that we believe it was security operation center person. So he can correct us if I’m wrong

Lisa Hall: about that.

Ashish Rajan: So now, so now since you are head of information security, and I think this is a cybersecurity career month as well. I’m sure a lot of people are curious.

What does a day in a head of cyber security look like for for yourself? So what’s a typical day. Like,

Lisa Hall: so I think this is probably different for everyone who has a similar role. I imagine it’s a little bit all over the place for me in my role. It’s a bit of technical work, people management, customer interaction.

Interaction with stakeholders. Like I said, I have a team that heads up application, product security, infrastructure, and compliance. So it’s partially a lot of time planning looking forward. Like in this role, you’re always trying to put in [00:08:00] motion what the vision is. Making sure you’re looking at risk in the day to day.

Also some hands-on keyboard things. I still do that. I think that’s probably a good thing for most CISOs or head of securities to actually. Still be able to execute on some things. And sometimes you’re just like, well, it has to get done. I guess I’m the person to do it. We’re going to do it. A lot of like networking advisory, just kind of trying to be the face of security at the company , and pushing that the security culture customer time.

There’s so many things it’s kind of spread all over the place. Basically lots of meetings. That’s what, yeah, definitely,

Ashish Rajan: definitely lots of meetings, but somehow we all figure out how to promote cyber security in the company. So a bit through meetings, that’s actually, that’s a good one. How do we promote cyber security through meetings?

That’s pretty much harder to do.

Yeah. Cause I think, I wonder how else would you, I mean, I, cause I guess with the work from home thing, now it’s even more meetings, I guess. So it’s not really going to be, in-person having a chat over a company event or something. So , what are some of the skillset like? So if someone wants to be a head of cyber security or heard [00:09:00] of security, what are some of the skills they need to be successful in this kind of a role.

Lisa Hall: I think overall it is a little bit of everything, right? So the traditional soft skills, which is like a horrible term, but yeah, you should be able to talk to you. I have to re , make slides and talk to the board about risk at the same time. I am in the camp of CISOs or heads of security should be technical.

It doesn’t mean, , the last time I maybe coded something and pushed it to production was probably a little too long ago. But I should be able to speak to my division. And talk to my application security team. It doesn’t mean I have to know everything. It’s almost impossible. Like security is super broad, but I am open to learning it.

It’s exciting to learn things. So I think you’re better equipped if you are a CISO who does have some kind of technical knowledge or wants to know that I was talking to someone recently who said their CFO was interested in Kubernetes. Like, Hey, so I heard use Kubernetes. How does that work?

Like very similar, like why? So the [00:10:00] CISOs should definitely know this. Like, I don’t need to know every single thing about Kubernetes, but if it’s a tool we’re using I should know about it. That’s gonna make me a better CISO . So I’m definitely in that camp of like, oh, maybe I wasn’t familiar with AWS before.

Cause I had a data center suffocate me. And now I should probably go take a class with AWS and maybe it doesn’t mean I have to be an expert. I don’t have to know everything about AWS. I am, but maybe I should have kind of the basic ideas about how AWS.

Ashish Rajan: That’s interesting. So would you say, and it’s a pretty hot topic for a lot of people.

Cause a lot of people assume that say being a CISO or being a head of security you’re way far away from any of the technical details. But I’m kind of with you on this one, that technical camp as well, because the kind of world we’re moving into, where it’s a lot of cloud, a lot of kubernetes . And basically it things just keep happening more often and you almost go wait, I need to at least have a basic information about what this is.

You don’t need to be like kubernetes certified expert, but definitely some information to know how it’s used in your [00:11:00] organization and whether that’s the right way to use it. Yeah.

Lisa Hall: A hundred percent. I think that security we are, we do the best for the most valuable when we’re providing value to the business.

So how can we provide value for just in some box saying, well, then this standard says, blah, blah, blah. It’s like, that’s great. But does that work for, , PagerDuty? Does that work for this other company? Like what you have to be able to apply? These like standards and concepts and best practices to where you’re at and understand the risk of that.

And how can I make good business decisions if I don’t understand the business and the technical side I feel the same way about if you join a company like you should learn about the product that the company offers. So in the same way. So you were part of the business team, it’s just,

Ashish Rajan: yeah. And I think as you kind of say that I kind of going, , how people have all companies have CIO CTOs, they’re the same as well.

They’re technical, but they’re not like I don’t know, like an AWS expert. They might know a few services here and there, but they don’t like deep into the weeds. You kind of know, oh, this is exactly how you would do it. I’ve got a question here [00:12:00] from Jothi and we’re going to go and do none of this before, I guess, much later, but I’m curious any advice on approaching professional for mentoring to develop any domain in secure security and that what are your thoughts on this?

Lisa Hall: So on approaching professionals for mentoring. Yeah. For that I think. And it does depend on the people. But what I have learned is that the security community, we have our faults, but ultimately this is an amazing community of people. Mostly I found that people want to help each other and we have good hearts and we want to secure for everyone.

Like it’s like our, my, my security is your security. Like let’s share knowledge and , we’re kind of all in that camp of like this optimism. Like we can solve this thing too. So I would suggest reaching out to people. Anyone can reach out to me on LinkedIn reaching out just with the people who maybe do someone you look up to or someone who you’ve got a question for like, try to reach out to them.

A lot of people you will probably find are actually very receptive. On the other hand, there’s also a lot of formal mentoring groups out there. I belong to battleship. [00:13:00] Actually. It’s like one of the mentoring, there’s many mentoring programs where you can sign up and you can request mentors for like the thing you want to do.

I want to be IC. I want a principal security engineer. I’m going to go find somebody. I could talk to her. I want to be director of security and go find that person. And they’ll align you up with that. I know LinkedIn has some things. And then I would also say, leverage your name. Get to know like whatever you’re interested, find those people, because it will be to me networking.

And , that sort of like finding those areas has been so important. You’ve got like OWASP or a women insecurity and privacy, like some women organizations or dev color, black engineering. Like you can, you can find kind of where you can network and what’s most comfortable with like where you find your joy and find

Ashish Rajan: those.

Oh, see, that’s a good point because the hardest part is identifying which domain, because cybersecurity is so wide as well. Depending on the domain, if you kind of select one domain, then it’s next to, as a matter of finding someone you feel who would be a good mentor for you in that domain. Would that be kind of a good way to describe

Lisa Hall: it?

Yeah, definitely. I think there are certain things like, OWASP for example, like that’s [00:14:00] very, you’re probably going to run to people who code and are interested in security standards for SDLC. Probably or if you’re into like GRC , there’s working groups for that. And it’s always, most people are open if they don’t know, they’ll probably direct you to the right, like, oh, you should talk to, you should go see this group, this isn’t you.

Ashish Rajan: Yeah. And I think that’s sort of interesting because that kind of feeds into another question that came from Anshul about his question was around what I found the prerequisites to get into a SOC thing but it’s kind of similar thing. If you’re interested in SOC it’s more finding someone who’s already in SOC to telling you what’s the field really like.

What’s a day in his life of a SOC person. And not that it’s I find a, find two ways for it. And you can correct me if I’m wrong. I normally found that if you’ve reached out to say someone like yourself, you can, you can tell the reality of what it’s like living Head of S ecurity. Cause , people may have perception of what that role is from the outside.

Oh, the second really amazing role you worked for you get to do technical things as well. You get to compliance board. It’s a really great mix. I think it’s really perfect for me, but then they talk to you and you tell them the reality [00:15:00] of it and go, oh, I actually thought it’d be like a lot more different, but I definitely feel like from that perspective, what far-reaching.

And knowing what it’s like, I mean, I don’t know. What do you think

Lisa Hall: I’m totally with you? Like people be like, oh, I didn’t know. You spent that much time in meetings or when I attend stand up, cause all the 10 stand up with my team and I’ll post the things I’m doing and they’ll be like, damn, I didn’t know you worked.

So I didn’t know. Actually, I thought you were just in meetings all day. It’s like, wait, no yell. I do both. For this question. I think it’s interesting to like, take a step back almost and say, how do I get into security? Let alone like a SOC team? Cause I think the answer’s pretty similar. If our team even, , I came from business degree, executive assistant on the team at PagerDuty.

We have people who’ve come over from customers. From it. I have some background. I have somebody who went to school to be a medical doctor. I have two people who were in education before they came over to security. So. Even if you just want to get into security or then specialize which happens a lot because usually once you land, you’re like, oh, actually I like that part.

Somebody else can do, , network [00:16:00] security. I really like coding and spend time with developers. So part of it, I think is again, like leveraging your network and where you’re at. So a lot of times companies will have security. Get to know those people. We, , they can help you and also help you in a place you’re already at.

If you enjoyed the company, you’re at a lot of companies do want to like grow from within and, and train. Also a lot of companies do pay, have reimbursement for education. So that’s a good thing to leverage. If you want to get into. Or any other thing, ask your company, like, do you pay for reimbursement because it’d be great.

PagerDuty does, like, I can go learn. I can go get certified in AWS. If I wanted to. Or whatever brand new tool, fancy thing comes around, I can at least go learn it. So , those are probably, and to your point too, like networking with the kind of areas that, , you’re, you’re focused in, but yeah.

Ashish Rajan: Yeah, I think that’s a good point as well. Cause you already have so I guess for directly ask the entry question as well, that if you already have a SOC team in your organization, maybe the easiest starting could be just to talk to one of those people and find out what what’s it like, and then make a decision if [00:17:00] that’s really where you want to go.

And if you do then looking around for if there’s an opportunity, Within the company that you want to switch over, because I think to your point, it’s so much more easier to try to have someone from within the company than hiring a new person, hiring a new person. It’s so hard.

Lisa Hall: Yeah, I totally agree. It’s it’s and it’s nice because the per the person from within the company knows about the company.

Yeah. You can take all this knowledge and just expand it more into security or whatever else you want to do.

Ashish Rajan: Yeah. Awesome. All right. Hopefully that answers your question Anshul . And thanks for your question as well, Jothi . The next question that I had, so we sort of spoke about that, I guess.

The soft skills side of people that might be required. And I think the only reason I asked the soft skills part is because we as cybersecurity people, they try to Google this information, right? A lot of information comes out. You should be AWS certified. You should have this certification too. You should have CISSP and all that.

But a lot of people kind of forget about the convincing part of things I believe a lot of conversation that a security leader would have is based more on relationships . It’s more like me having a conversation with you. I would love some help from your [00:18:00] team.

I need to have a relationship with you and in terms of going, Hey, how can we help you? How can you work together? And what’s. But a lot of people don’t kind of focus on that. It’s almost a focus always on, oh, what’s the skillset in the cyber security team. Do you guys application security, security operation?

Where does the skillset, what goes technical really quickly, but , how much of the job do you reckon is just working with other people instead of technology?

Lisa Hall: All of it. No, no. So much is people and it, and again, it does depend on the company and the level of like where you sit in the company too, because if you’re an IC and you’re comfortable spending your time, like hands on keyboard, chances are, you can probably, depending on the size of the team, you could probably get away with that.

You’re like, I don’t want to do meetings. I don’t want to negotiate. Funding or anything, but when it comes down to it, as you, like, especially once you’re a people manager, those soft skills or whatever they do come in there, their requirement, I have to be able to explain, I need to be able to speak technically with my.

And then explain why that’s important and how it relates to the [00:19:00] business to ELT or stakeholders. And explain how we, as security are building this thing, that’s going to help you move faster or make more money, or by automating this, or if you do it early, like the whole shift left thing, right. Let’s scan our code early.

That way we don’t have to have. 10 cycles in your sprint about remediating vulnerabilities, because we actually stopped them in the beginning. So all of those, all of those things, there’s a lot of negotiation and without people skills. And I think part of the other thing that I will end on, then I’ll stop talking about it is I do think knowing the business is a big part of that because you can’t make good decisions as a security person, or actually probably any, any department in the org.

If you don’t know. You don’t know what the goals are of the business, because then you can make the right trade off.

Ashish Rajan: Oh, I see

it’s a good point. So it maybe makes me even think then so if negotiation and talking to other people is also important and we kind of touched on the technical piece earlier. We spoke about AWS, but how much is [00:20:00] requirement , would you say knowing about cloud is a good skill to have, or how essential do you think it is to know about cloud in a leadership role?

Lisa Hall: I think it is essential. And again, depending on. Your company and what you’re doing, but I think it is pretty much an essential skill set. I’ve worked at different companies. Like on-prem obviously was the place I was at. When I had my first startup experience was Twilio.

This is like 2013 and

Ashish Rajan: my, that was Twillio was there back in the day.

Lisa Hall: Yeah, we were startup. And that was, I was consulting previously to that where I was like, oh, we totally like HR data centers. And this is a thing, like you’re pulling out a server and that was the first place I worked.

It was just fully cloud, like all, all cloud. But the interesting thing is like, you can take those concepts. So I think you do need you to it’s it’s not going to hurt you to know about cloud security and the cloud environment. Like that’s definitely a direction that business is going. So it is probably a good idea to learn about it.

It’s not going to hurt you on the other side, the things that I learned from kind of growing up in the on-prem [00:21:00] more. Have definitely helped me with the cloud where it’s like, no, no, I know you say the cloud, but you just need a data center. That’s owned by somebody else. And like, I am going to walk in there and see probably a lot more racks servers than I would’ve in our data center, but it helps understand the concepts and like visualize that this is a thing and it’s in the cloud, but it’s still the same kind of like plug unplug thing that you would have.

And then the controls are just a little different. And that’s to me, the fun part, I get to learn this new thing. Like, oh, this isn’t, this is going to be logical segregation, as opposed to physical segregation, like I’m still going to have it segregated, just not by a cage, , like my virtual cage.

Ashish Rajan: That’s an interesting point because, so with people who have on-premise experience and probably have that security leadership role in their mind as their next step or. A step in the future. If that’s still did feel as relevant in the cloud world on from this

Lisa Hall: experience. Totally. Oh, I totally think so.

I think that can only help you in the cloud experience because you’ve seen what it looks like physically. And so when you can kind of [00:22:00] anticipate , what if I had to just have a shared server, how would I protect that? Or whatever questions you’re asking or looking at AWS?

, it makes it to me, at least it helps. Yeah. The implementation is going to be different, but the concepts are very similar.

Ashish Rajan: So your point, it would be more around, we should think about cybersecurity in a data center. You don’t have to, someone else takes care of it. So it’s almost like picking what you need to worry about and what you don’t need to worry about coming from an on-premise experience.

Lisa Hall: Yeah. Yeah. Oh yeah. I mean, from knowing the audit side of the house too, it’s like, well, , I trust AWS. I hope I do, , sort of the other businesses in the world. And it does kind of you’re transferring the risk, but you’re transferring the risk to like a well-known hopefully somebody you’ve vetted.

Kind of data center. So,

Ashish Rajan: so and actually that’s pretty good to know that. I mean, I imagine a lot of people are, do have on-premise experience and have had that experience for a long time. And for them to transition into a leadership role, probably moving into a cloud space, it should still, they would still be able to find themselves being relevant.

I’ll give using that experience. Is that [00:23:00] a particular topic in cloud security or what are some of the topics that you kind of have to feel maybe important to know about? Not, not too much in detail, but just a few topics that people should know about when they’re trying to go for a leadership role in a cloud first kind of company.

Lisa Hall: I think another thing I think we should do more of, but I would recommend doing, just leveraging open source tools for companies that are well known for that. So like I know PagerDuty, we open source our incident response and our security awareness training segment recently open sourcing, some developer training.

I love that we do this as a community and I want us to do more of this. Like you can leverage those things.

Is a good place to start.

I also think as leaders, we just have to look at how we can be proactive and understanding risk. It really comes down to me to understand the risk that’s particular to your organization and your business. And there isn’t one size fits all. Like we have these standards and those are great. But to be that leader, I think you really do have to understand what’s going to be best for your business.

[00:24:00] For PagerDuty. We do on call alerting. So being able to deliver that quickly it is a very important thing for the business. So as a security leader, I can’t install something. That’s going to increase latency by a lot because I already know why would I even ask for that?

It’s going to make latency go up and we care about latency because we need to have instant notifications go like this, but no, you’re right. Right. It’s like, no, those kinds of trade-offs in what you what’s important to the business.

Ashish Rajan: And on, on premise, I think we need to, as a commentator, which is really interesting as valid.

So it does help in building hybrid solutions as well. If you come with on premise experience, if got a hundred percent agree . So this on the money is. I know we’ve been talking about, I guess, skills required to become a good leader, a security leader in our field, and how someone can transition over from a non I guess non-technical degree or a non cybersecurity degree.

For people who may not have the opportunity, they may not be EA to a CISO to that. It’s for them to be able to go in and I guess, get that exposure on the, on the job. You touched on networking just before as well., how would you I guess [00:25:00] talk about networking from a perspective that say someone maybe from a non-technical background, probably another EA who may be listening into this and going I’m not an EA to a CISO

so should I become an EA to a CISO so I can get that experience? Or like, what are some of the things that they could be doing to get into this.

Lisa Hall: Yes. I mean, yeah, sure. If you can be an EA to a CISO , that’s a great, that that works for me. I think there’s a lot of different ways to get into the field. The biggest advice I would give is to find your passion, cause that’ll probably lead you into your door, to the field.

So like for example someone on our team, our technical program manager, she came from an educational background and she was trying to solve a problem in education. And she was like, this would be so cool if I could build this thing that would automate this and solve this problem. And that was very security related.

So she’s already thinking like that. Or if you want to learn code think of a problem you want to solve. Because that’s way more interested in writing code. Like I want to learn Python, but what’s the kind of thing I have to do, or I really want to do. So I can learn this. And I, and I think that kind of [00:26:00] goes same with career.

Like yes. Leverage your network, leverage your company, find the people you can talk to and then find your passion. If you really think, I don’t know, like home security is your passion. You’re like, oh, I really want to check out. I don’t know, nest and ring and whatever else. Like I want to figure this out, like play around with it.

Cause that that’ll be your passion and that’ll lead you towards that. Almost automatically, if you seek out.

Ashish Rajan: Yeah, actually, that’s interesting because you mentioned about the nest and ring as well, because everything that we are, we’re surrounded by technology on a day-to-day basis. And to think that cybersecurity is just about, oh, it’s in a professional setup, but I’ve been for security analyst roles.

A lot of the times the questions are revolving around the fact that what have you done recently from a security project perspective could be a home project. What did you do to, I don’t know, like keep your home internet safe. Well, or whatever else, even that’s a , great project to work on.

Lisa Hall: Totally. I totally agree with that.

Like add it to your resume. Like I know how to do the thing. It’s networking.

Ashish Rajan: Yeah, it’s actually, oh, well, I mean, it sounds like it, it may come as a common sense for a lot of people, [00:27:00] but we kind of keep quite circling on the fact that actually and this maybe for non-technical background, people may be like, oh, I didn’t really think that was a relevant qualification.

Totally relevant conversation at that point. Right.

Lisa Hall: Oh, I totally agree. Like security education. I don’t know. I taught my parents how to use one password.

Ashish Rajan: That’s the pitch. Oh my God. Yet actually security awareness is all about this. Actually talking about security awareness makes me think that.

So you seem to have like a diverse team as well from diverse background, nontechnical backgrounds, . So clearly you hired really well. So congratulations. And I was curious in terms of what are your thoughts on hiring for like any cyber security leaders listening to this who obviously want to I guess attract diverse background people from non-technical background?

Cause I definitely believe coming from a non-technical background, they automatically have an advantage. Because they are kind of, I guess they don’t have the bias that we’ve given as part of our technical training, they question everything and that’s perfect because they’re like, why do you do this?

It’s so stupid. I’m like, no, this is what I would start. But I guess what you’re saying is right as well, because it’s pretty far automated. [00:28:00] So I’m just curious to know from you, what are your thoughts on hiring and maybe some of the ways you’ve been able to attract the best individuals

Lisa Hall: yeah. Thank you. And I totally agree. Like it’s we have interns that come on. I was like, oh, you have like, you’re so excited about this. I love it. And then you get to us and we’re like jaded, but yeah, I still try to be optimistic. Yes. So our team is majority women. We are diverse in many other ways as well.

I think if you’re trying to hire diversely, the first advice I would give is create the team that you want that person to be yet, like create that company because people work for people. People want to see that. It hasn’t been difficult to hire a diverse workforce insecurity because people see the team and it’s like, oh, I clearly belong there.

I like, see people like myself there. I think that that definitely helps like build, be that thing that you want your team to be. So practice what you preach. Put in the work as my intro song said, you gotta work. You gotta put in the work. And I think networking and really reaching out [00:29:00] to people directly on LinkedIn and genuinely creating some connections.

Right. Is really useful. It don’t rely on your recruiting team to do everything for you. I know it’s not the super popular opinion, but put in the work. I also think when you see a call-out things you see, like if I see candidates coming in for principal engineers, and everybody kind of is looking the same or coming from the same place, I’m going to question it.

I’m like, why, why am I seeing this? Is it my network? Is it the recruiting? Are we just recruiting from this one school? Like what is happening? I want to see diversity, like no matter what my team ends up being I want to see diverse candidates from different. Backgrounds, different schools, cabinet everything.

So,

Ashish Rajan: and do you feel like it’s a, I think you kind of mentioned the interesting thing as a leader who’s hiring you probably are a good person to even question that when you see, I guess obviously we’re not, we may be hiring for our team, but we are not the ones who are actually actively putting the job ad out or there’s someone helping us out.

So when you see a particular pool of candidates, come in, who, I guess to your point, have a similar background, you almost say, oh, I wonder [00:30:00] what the place where we advertising is the right place to advertise of. I wonder if the place where we are reaching out to, if they are the. People just find diverse candidates in the first place.

I never thought about it from that perspective. That’s a good point to kind of call out because it’s not just about going through the standard channels of, oh, this is what we get because no one else is applying for the job. Maybe it is the source itself for wherever you’re looking

Lisa Hall: or what’s in the job.

Right. Like, did we have some crazy stuff in the job description? Like, oh, you must have 15 years experience and you must know AWS and you also must know elixir. That must be your code base. Like, I don’t know, just pick him like exactly what that company like, , , do we want to talk to someone and, and step away from that experience and have them say, oh, what you’re talking about?

I have trust in you. Like you would be great here. You’re thinking about solving problems. Your you’re thinking about these things and stuff. The check mark

Ashish Rajan: thing. I I’ve put a question here from Jothi as well. Just kind of on a similar vein as well. Entry-level sub security or cloud security roles, demand, certification, or product experience, and the talks on how to approach it or how to get equipped.

Lisa Hall: Yeah. Good question. [00:31:00] Thanks. I’m not the biggest fan of certifications. But I do think early in your career, they are a good indicator that you went and learned a thing. And you learned it well enough to be tested on it and certified in it and a lot. Yeah. If a role you want requires it. I think it’s fine.

Like I’ve had certifications. I think I got CISM because it was a requirement for the thing that I was doing. I didn’t renew it. Well, good

Ashish Rajan: CISSP for a junior role. Yes. That would definitely be a great show to figure it out. But junior at all,

Lisa Hall: like a four hour test, no security plus is a good starter security plus is a good first kind of cert I think.

And then it depends on what you’re into. The certified ethical hackers, or if you’re interested in going that kind of pen testy route CIS M , is not a difficult in my opinion, not as long. I don’t know. I think the test is shorter to think back. But there are depending on your route, also those, those kinds of roles, but I think security plus is still.

Pretty legit SANS Institute Hackbright academy. There are a lot of certification courses that you can find that are relevant to what you [00:32:00] want to do. And also scholarships. There’s the all offer scholarships,

Ashish Rajan: the awesome . So , we definitely believe certification has some role in the beginning of a career.

So maybe it, depending on where you are Jothi , that could be a good start as well. Coming back to the hiring pieces. So we’ve been able to at least talk about checking the source for the hiring in terms of I said earlier, as well as commendable, that you have a majority of women team as well, because most of the CISOs talking about how do we attract more other genders apart from men applying for jobs.

So what could leaders be, I guess, doing, to attract other genders for their job and not that it’s, it’s I don’t think it’s a problem, but I think it’s one of those ones where sometimes when you see all men coming in as applicants, to your point, is that more the application itself or is it just that we are talking about it in, I guess in the right side.

Lisa Hall: Yeah, I don’t believe it’s a problem. I don’t think there’s a pipeline problem. I I think part of it is clearly people’s networks kind of show who that they are reaching out to security. Traditionally has been a pretty small. Industry , [00:33:00] history of people hiring people used to work with like your friends and especially in Silicon valley what I’m happy about and what I think can help other CISOs looking to hire diverse teams is Partially because of COVID for many companies, we now can hire fully remote.

So we don’t have to have, we don’t have to stick to the particular places. Maybe our corporate offices are. Which also means you don’t have to stick to your traditional, like, oh, this person went to this school or this person worked for a startup in Silicon valley. Or whatever things we were, whatever requirements we were sticking to before I think we can open that up broader.

I’ve appreciated it. I’ve been super excited that I can hire From many different places now not just have to stick to San Francisco.

Ashish Rajan: Oh, actually that’s a good point because with the whole remote working, you kind of have hired anyone from anywhere and depending on I guess how you want to have the role you can even have hired from outside your country as well.

If you have multiple offices across the world, actually, that’s a good point. .

We spoke about the hiring challenge and we also spoke about the fact that how do we attract other genders to apply [00:34:00] more for the jobs as well? It’s your point? It could be a reflection of our own circle as well for when, when we post a job and who applies for it. So maybe it’s worthwhile looking on insight, us as well.

I’m curious from a cloud perspective, cause you had touched on earlier that. It is becoming slowly more common conversation in organizations. No, one’s really going to our data center for physical security, more and more people are going into cloud. So from a hiring perspective for that, are you finding any challenges, like what’s the biggest challenge that you find when hiring.

I guess with that context of cloud.

Lisa Hall: Yeah. I think again, hiring challenges I’ve seen tend to just be from being too specific. It kind of goes back to our conversation before, if you want somebody who understands the cloud. Then you PR isn’t it to put AWS as a requirement or Azure as a requirement.

Maybe you just want someone who understands how cloud stuff works and it’s going to be different. But to me, I’d rather have someone who understands , those base concepts, as opposed to like, I’m hoping, they’re excited about [00:35:00] learning. They know they’re getting, they’re accepting this job.

They’re know they’re moving to whatever we’re doing. And want to learn it again, if they’re, if you’re hiring for a super senior technical role that, , you’re looking for this, like, I need you to be AWS. I am like knowledgeable. Sure. You’re getting it. You’re going to tune it to that. Mostly getting someone who understands base concepts of things and is interested in learning.

Whatever it’s moving to I think is probably some of the best advice and updating job descriptions to be more like overall knowledge, as opposed to super specific.

Ashish Rajan: Yeah. Actually, that’s an interesting point as well. I’m finding, learning so much from this because a lot of the conversations, if I were to kind of go back on to the hour that you’ve spent together so far a common theme that’s come across as having a more broader approach to hiring in terms of not just calling our specifically AWS, unless you’re looking for a senior role, but for someone who’s transitioning over from a non-technical.

A junior role to another junior role, maybe it is important for us to talk about from a broader perspective, just because you have an AWS certificate, doesn’t really mean you can’t do Azure. You can’t do Google cloud. You can still, I mean, it’s still a [00:36:00] cloud. You can probably pick up, okay, this is how it’s different, but it’s a similar.

Yeah,

Lisa Hall: I totally. And everything changes so quickly anyways, too. Like that’s the fun and interesting part of security. So if we’re married to some old technology, it’s probably not going to go well for us in security. Cause that it’s going to change pretty soon. Like, oh, Kubernetes, it’s hot. Oh, this thing is hot.

All of a sudden Python is a language to use. I don’t know. There’ll be something different. Like if I just stuck to cobalt my entire life, I probably I’d have like three jobs. I could go work and they’d be fixed.

Ashish Rajan: I’ve got some fun questions towards the end and , just three, not too many.

And so first question being, what do you spend most time on when you’re not working on technology or cloud or cybersecurity?

Lisa Hall: I play video games. I do I also, so, so I actually went to fashion design school before I was wasn’t Yale.

Ashish Rajan: Oh well you, you and I have one thing in common, I just, for probably my wardrobe somewhere, or they usually comes in the background.

Yes.

I

Lisa Hall: love it. So, yeah, so I, sew in my spare time I find it very meditative and I like being creative. I also think security is a creative industry and halves. [00:37:00] Like, you got to kind of think like, how am I gonna say. I also play video games. I’m really the best at couch co-op for anyone who wants to know I’m just, I enjoy it.

I’m not saying I’m really good at it, actually. Like being able to game with somebody it’s probably, yeah, I’d probably spend a lot of time on X-Box. So when I’m not.

Ashish Rajan: That’s so sewing and X-Box, it’s great. They’d have great hobbies to have because it’s such extreme as well. It’s almost like I imagine Lisa sewing in one end and then next minute, she’s on the video game.

Just basically smashing the keyboard or the keys.

Yeah. Wow. There you go. So very diverse skill set over there as well. Our next question, what is something that you’re proud of, but is not on your social media?

Lisa Hall: Wow. I can’t really say, cause it’s not on my social media. Overall, I would just say my daughter.

Ashish Rajan: Oh, nice. So, and that I find that it’s a tricky question to ask as well, but she would need to just tone the deep end straight.

It was so great. Answer. Sure your daughters got brownies points for you. Yes. Brownie points. So last one. What’s your favorite cuisine or restaurant that you can.

Lisa Hall: Ooh. Oh, wow. So my favorite place is a place that I can’t remember the name of in [00:38:00] Barcelona. So I love bars. Like I love the tapas , like small, like get a little bit of everything style.

That’s the way to go. Yeah. I want to eat it all. So we were in Barcelona and there was this place where the food was just so good. I think we. Definitely twice, two or three times during the trip there. And if I find the name, I’ll send it to you so you can share it. But it was amazing. Like by far Barcelona had the food and I was like, I can live here.

I can live here. This is how I can do, I can eat at nine or 10 at night and just have little. Yeah. Oh, this is, this is, this is my place.

Ashish Rajan: I feel like a year and I have so much common data as well. Cause that reminds me of a trip that my wife and I did to Japan. And on the way back. So we there’s a facing Osaka called Dotonbori lane, which is that kind of what people take short.

It’s just basically a whole street street food vendors and our being Japan, I guess all the food was really amazing and kind of like, we kind of enjoy taking bits and pieces from everywhere. The first time we went there after we were going to Kyoto and we were going to go straight from Kyoto to Osaka, sorry, Kyoto to Tokyo pass Osaka, but we loved the food so much.

We stopped there in the [00:39:00] Osaka . Got a new ticket for totally ditched, a previous ticket so that we can just try the place again. So I can totally appreciate and respect the fact that when, even though you’re traveling to a country or to a city, you go multiple times to the same place. Yeah. A hundred percent respectful that because you just like, that when you go back, this is not going to be there.

It’s not like just keep experiencing it as much as possible before you kind of walk away. I

Lisa Hall: love that you’ve had that experience. I totally agree. It’s like, yeah, we should try something else while we’re here. But that place so Kyoto , we, I had a restaurant in Kyoto. That was that for me, like, oh, it was just so good.

But everything that I ate in Japan was also really good.

Ashish Rajan: Yeah. I’m in that category as well,, I really appreciate the time you’ve spent with us so far. So for people who may want to reach out to you and know a bit about our diverse hiring as well, and maybe grow their own team of diverse people and maybe even get some more experience on what it’s like to become a head of security, how to get there.

What, where can people find you? And what’s a good way to.

Lisa Hall: Yeah, definitely on LinkedIn or Twitter. Find me on there. I, if you send me a message, I mean, I meet with, I have a [00:40:00] busy, crazy schedule, but I will meet with people if you reach out and you have questions or want to connect, like again, I really appreciate our community.

I appreciate you having me on the podcast. And I think that that’s just something I want to continue growing. For everyone that’s in security , I think practice what you preach and yeah.

Ashish Rajan: Yeah. Awesome. No, thank you. Thank you for that. I’ll definitely encourage people to connect with you as well.

And those people who are ask the question during the, I guess, during that session as well, if you have follow-up questions, feel free to reach out to Lisa.. Thank you so much again for coming in on the show, I really enjoyed our conversation and representing gen X

Lisa Hall: especially with their nineties hip hop.

Ashish Rajan: That’s right. It’s hard to represent. Oh my God.

Awesome. All right. Thank you so much for your time and thank you everyone else who was listening in. See you next weekend, but I’m looking forward to having you again soon.. Thanks everyone. Peace.

‍