Lesley Heizman - How to Balance Cybersecurity with Business Operations

Critical Stats

LinkedIn: https://www.linkedin.com/in/lesleyheizman/

Started their cybersecurity journey in: 2020

Most passionate about: Tool tinkering & systems/process setup

Favorite zero-day: Stuxnet

Favorite song: I Like it LIke That by Pete Rodriguez

Introduction

Lesley is a risk and compliance expert who’s worked in various industries, from healthcare to e-commerce to tech. She’s passionate about privacy, self-development, helping people's career pivots, Diet Coke, and spicy margaritas! In her spare time, she’s a boy mom, wife, and dog mom who loves lifting heavy things, reading, and podcast listening!

Lesley is up-and-coming

We selected Lesley because she is up-and-coming, but more than that, she is a go-getter! She emerged on the cyber scene through hard work and determination. She loves to learn, share knowledge, and assist anyone in need.

Without further ado, we asked Lesley our standard set of 5 questions to rule them all, and here are her responses:

Five questions to rule them all!

1. What is the biggest problem we are dealing with in cybersecurity?

Right now, a significant area of focus for me is how our security and compliance team can insert tooling/training/process into areas of the business to be more effective in our ability to protect and defend; while at the same time letting people focus on their areas of genius without being too intrusive. We’re trying to walk that fine line of getting more education out there, creating more internal champions, and keeping security in mind through everyday actions; while realizing that security is not the center of everyone’s world (even though we might imagine it to be).

2. How can we find the right balance between security/compliance and business operations?

I think many security teams assume their users or staff (outside of security) know a lot about safe security practices, but often that is not the case. I haven’t talked with many people who would intentionally put their company at risk after they have the proper knowledge & awareness of good security practices. The key is not to assume and instead take the time to educate and inform. Sometimes, the non-sexy things go the furthest, like updating your laptop or reporting a phishing attempt. But not everyone knows those things; hence, education is critical.

It is also essential to establish a company culture where it is okay not to know everything or to make a mistake. At the end of the day, employees should feel supported by security and compliance teams. By working together, they will figure it out and address issues.

3. What are three actions a CEO can take to protect their company from cyberattacks?

Ooh, this is a good question!

1. The best way a CEO can protect their company is to strongly support (and be a public voice/participant in) security and compliance initiatives. It goes a long way when staff see that support and importance to their leadership. It helps set the tone and encourages company-wide participation. 

2. A second important piece is to include your Chief Information Security Officer (CISO)/security leader in more leadership-related activities and communications—board meetings, company planning, customer advisory boards, product discussions, whatever the case. An informed CISO involved in these activities can better protect the business when they know what’s happening across the organization and understand its needs.

3. Finally, it is crucial to have a great relationship with your CISO and take the time to share the most significant risks you face and how you address them. This will enable the CISO to craft a security plan best suited for your business needs. I know this is not easy with all of the demands on your and the CISO’s time, but building a relationship on trust and transparent understanding will enable both of you to rely on each other’s expertise. That strong bond will be pivotal during times of stress or crisis; very few things will be a surprise that you both are not prepared to tackle.

4. What are the best resources for learning more about cybersecurity?

The top for me is podcasts, my community on LinkedIn (to include other communities), and vendors that put out great content in their communities/blogs/support sites/webinars, all of which you can take advantage of!

I hang out in online communities filled with trusted experts. I listen to their podcasts and read their articles/books. I have learned so much from their expertise and experience. My team members will tell you I’m a crazy podcast listener and book reader. This has been critical to me in transitioning into this career when I started with zero security experience. These experiences have helped me much more than the formal education I have received.

Here are some fantastic resources I recommend everyone to check out!

• For podcasts, I listen to:

  • Cyber Risk Management Podcast by Kip Boyle/Jake Bernstein

  • CISO Series & Defense in Depth by David Spark

  • Afternoon Cyber Tea by Ann Johnson

  • The Data Diva Talks Privacy by Debbie Reynolds

  • Shifting Privacy Left by Debra J. Farber

  • Hard Fork by Casey Newton/Kevin Roose (That one is about tech in general, and they are hilarious!)

• Regarding communities, I'm involved with:

  • Basecamp by DataGrail (I absolutely love the content shared there!)

  • The Partially Redacted community by Skyflow

  • The Privacy Pro's community by Jamal Ahmed

  • Information Systems Audit and Control Association (ISACA)

  • My local Kansas City International Association of Privacy Professionals (IAPP) chapter

  • Women in CyberSecurity (WiCYS)

• For content, I often go to webinars held by Drata (a compliance automation platform) and read content from Crowdstrike, Wiz, KnowBe4, Microsoft, Google, IAPP, and ISACA.

5. What is one piece of advice for those wanting to pursue a cybersecurity career?

I recommend learning about the multiple pathways in cybersecurity, clarifying what cyber areas you might enjoy, and how your skills can translate to those areas if you want to pivot or break into the field. 

When I first started, I had no idea of all the different areas of focus and types of roles in cybersecurity. I had never heard of Governance, Risk, and Compliance (GRC). I only knew career paths like being a pen tester, cybersecurity engineer, or network engineer. I remember I took a short cybersecurity boot camp program at night through a local community college while working my product management job and thinking, “While I enjoy this boot camp, I don’t see myself going down this path.” At the time, I decided not to move forward with that program and wondered if I was making a huge mistake. It turned out I was not interested in those specific types of roles! It was not until I started researching, reaching out to my network, and truly comprehending my interests that I could understand how to translate my skills into my true cybersecurity passion, GRC!

I wish to be left alone. I need to focus and share this article with everyone I know!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD